Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 a78ae5eaf0472ae3…

MALICIOUS

Office (OOXML)

12.8 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 15.0300
MD5: 60d39ebabf9103fdf66d29b35d2ca19d SHA-1: e4760db8e2251983e47d088e52c5a72a294713aa SHA-256: a78ae5eaf0472ae3f1aa757b0556848b230049c7ad01dcf203eda3e36523511f
370 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample contains a Workbook_Open VBA macro that utilizes URLDownloadToFile to download two VBScript files from provided pastebin URLs into the user's Public directory. It then attempts to execute these downloaded scripts using cmd.exe, indicating a downloader or dropper functionality. The use of WScript.Shell and cmd.exe references further supports this malicious intent.

Heuristics 10

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pastebin.com/raw/yvyE642L
    • https://pastebin.com/raw/qzduaLGZ

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
3f72bccdc73558004a30bc04d7f48e460d0af107758dd0be1d74b91b4c1e8b6a		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2115 bytes
vbaProject_00.bin
8c98d7544f0add0d31e871337f67f4da21e42698c4246eef79dfdf93595deecf		 vba-project OOXML VBA project: xl/vbaProject.bin 13312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.