Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 9fde823cf2105b5a…

MALICIOUS

Office (OOXML)

223.8 KB Created: 1996-10-08 23:32:33 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2021-06-04
MD5: 93a3349a6b4ad2f3ddb44850f455ee06 SHA-1: b5c53e292c364581b4e047cd1ba4058565ed1e2e SHA-256: 9fde823cf2105b5ad85ff957af8838586b73c282753a9612f0a91388c6582d88
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel document containing a Workbook_Open VBA macro, which is a common technique for executing malicious code upon opening. The macro is likely designed to download and execute a second-stage payload, as indicated by the presence of VBA macros and the external relationship heuristic. The document body contains what appears to be statistical data in Russian, but its content does not directly indicate malicious intent; the maliciousness is inferred from the macro execution.

Heuristics 3

  • External relationship high OOXML_EXTERNAL_REL
    External target in xl/externalLinks/_rels/externalLink1.xml.rels: file:///\\Fsgpgvc02\Users\СТАТИСТИКА\старая-форма 6 раздел 2 3 4.xls
  • VBA project inside OOXML medium 1 related finding OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 22460 bytes
SHA-256: 41aa29526f8706a22f4a129384de04366becf0a118f9c547d79c2b6f527e152e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private Sub Workbook_Open()
 Call Class_Initialize
End Sub

Private Sub Workbook_BeforeClose(Cancel As Boolean)
On Error Resume Next
ThisWorkbook.Save
End Sub

Private Sub Workbook_BeforePrint(Cancel As Boolean)
If ActiveSheet.Name = "нарастающий" Or ActiveSheet.Name = "месяц" Or ActiveSheet.Name = "прошлый_месяц" Then
Cancel = True
MsgBox "Печать таблицы не предусмотрена. Для печати отчета используйте бланки", , "!!!"
Exit Sub
End If
If Sheets("нарастающий").Range("a2010").Value = "" Then
Cancel = True
MsgBox "Печать запрещена. Не сделан файл архива", , "!!!"
Else
Cancel = False
End If
End Sub

Private Sub Workbook_SheetBeforeDoubleClick(ByVal Sh As Object, ByVal Target As Excel.Range, Cancel As Boolean)
Cancel = True
End Sub

Private Sub Workbook_SheetBeforeRightClick(ByVal Sh As Object, ByVal Target As Excel.Range, Cancel As Boolean)
Cancel = True
End Sub

Attribute VB_Name = "Модуль1"
Sub кнопка_создание_всех_архивов(control As IRibbonControl)
Application.Run "Start.xlsm!создание_архива"
End Sub

Sub кнопка_запустить_МСК(control As IRibbonControl)
Application.Run "Start.xlsm!запустить_МСК"
End Sub

Sub кнопка_активизировать_ОРД(control As IRibbonControl)
Application.Run "Start.xlsm!активизировать_ОРД"
End Sub

Sub кнопка_активизировать_К(control As IRibbonControl)
Application.Run "Start.xlsm!активизировать_К"
End Sub

Sub кнопка_активизировать_ФБ(control As IRibbonControl)
Application.Run "Start.xlsm!активизировать_ФБ"
End Sub

Sub кнопка_активизировать_ПНП(control As IRibbonControl)
Application.Run "Start.xlsm!активизировать_ПНП"
End Sub

Sub кнопка_активизировать_ОЖ(control As IRibbonControl)
Application.Run "Start.xlsm!активизировать_ОЖ"
End Sub

Sub кнопка_активизировать_НПА(control As IRibbonControl)
Application.Run "Start.xlsm!активизировать_НПА"
End Sub

Sub кнопка_активизировать_Р(control As IRibbonControl)
Application.Run "Start.xlsm!активизировать_Р"
End Sub

Sub кнопка_активизировать_СМИОПП(control As IRibbonControl)
Application.Run "Start.xlsm!активизировать_СМИОПП"
End Sub

Sub кнопка_активизировать_ВОиПП(control As IRibbonControl)
Application.Run "Start.xlsm!активизировать_ВОиПП"
End Sub

Sub кнопка_активизировать_ГМК(control As IRibbonControl)
Application.Run "Start.xlsm!активизировать_ГМК"
End Sub

Sub кнопка_активизировать_ОН(control As IRibbonControl)
Application.Run "Start.xlsm!активизировать_ОН"
End Sub

Sub кнопка_активизировать_ГАС(control As IRibbonControl)
Application.Run "Start.xlsm!активизировать_ГАС"
End Sub

Sub кнопка_активизировать_НСиД(control As IRibbonControl)
Application.Run "Start.xlsm!активизировать_НСиД"
End Sub

Sub кнопка_активизировать_УСО(control As IRibbonControl)
Application.Run "Start.xlsm!активизировать_УСО"
End Sub

Sub кнопка_активизировать_УИС(control As IRibbonControl)
Application.Run "Start.xlsm!активизировать_УИС"
End Sub

Sub кнопка_активизировать_КДПО(control As IRibbonControl)
Application.Run "Start.xlsm!активизировать_КДПО"
End Sub

Sub кнопка_активизировать_ПМ(control As IRibbonControl)
Application.Run "Start.xlsm!активизировать_ПМ"
End Sub

Sub кнопка_активизировать_АДМ(control As IRibbonControl)
Application.Run "Start.xlsm!активизировать_АДМ"
End Sub

Sub кнопка_активизировать_СТАТ(control As IRibbonControl)
Application.Run "Start.xlsm!активизировать_СТАТ"
End Sub

Sub кнопка_активизировать_ОПК(control As IRibbonControl)
Application.Run "Start.xlsm!активизировать_ОПК"
End Sub

Sub кнопка_активизировать_ЗИПГАС(control As IRibbonControl)
Application.Run "Start.xlsm!активизировать_ЗИПГАС"
End Sub

Sub кнопка_активизировать_ВБА(control As IRibbonControl)
Application.Run "Start.xlsm!активизировать_ВБА"
End Sub

Sub кнопка_
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 189440 bytes
SHA-256: a12ae4357358202ac6d86a7d30c642b0289366138721332dd2df2ae5bbee70f1