Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 a7d9d492ecd259ff…

MALICIOUS

Office (OOXML)

67.3 KB Created: 2020-12-28 16:55:57 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-02-23
MD5: ca16baa7a5f27fb4bf6b45285d070144 SHA-1: a4234b5d2174c79949f8c7390a0a595d6fd7ce25 SHA-256: a7d9d492ecd259ff1e73cf5ddf7920e80c1215e1d3b197dc2212249d3cdeee82
224 Risk Score

Heuristics 8

  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Call Shell("TaskKill /F /PID " & CStr(lPid))
  • VBA polls global keyboard state (keylogger) high OLE_VBA_KEYLOGGER_SPYWARE
    The macro declares or calls a Win32 keystroke-monitoring API (GetAsyncKeyState, SetWindowsHookEx WH_KEYBOARD, or GetKeyboardState) to capture keystrokes system-wide. No legitimate document automation polls global key state; this is the core of a VBA keylogger, usually paired with active-window capture (GetForegroundWindow) and a log file. A high-confidence spyware behaviour independent of any download / Shell evidence.
    Matched line in script
        Private Declare PtrSafe Function GetAsyncKeyState Lib "user32" _
  • VBA hooks the VBE-editor / macro-list keys to evade inspection high OLE_VBA_VBE_KEY_HOOK_EVASION
    The macro reroutes Alt+F11 (Visual Basic editor) and/or Alt+F8 (macro list) through Application.OnKey, so an analyst's attempt to open the macro code is intercepted. This anti-analysis trick is a hallmark of resident Excel macro viruses hiding the viral module while it is loaded.
    Matched line in script
    Application.OnKey "^{F8}", "fainiente"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
           pas = Environ$("PUBLIC") & "\WI-FROM Ballarini1"
  • Hidden worksheet (veryHidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 13677 bytes
SHA-256: 1361b8c044c98743d63fced04e4016e052cce970ede1e03424643401ad503c80
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Questa_cartella_di_lavoro"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'Autore: Studio Ballarini
'Luogo: Sassuolo (MO)
'mobile: +39 3480029582
'Versione: WI-FROM Studio Ballarini

Option Explicit

#If VBA7 Then
    
    Private Declare PtrSafe Function GetAsyncKeyState Lib "user32" _
            (ByVal vKey As Long) As Integer
#Else
        Private Declare Function GetAsyncKeyState Lib "user32" _
            (ByVal vKey As Long) As Integer
#End If
Private Const VK_F9 = &H78

Private Sub Workbook_Activate()
Application.DisplayAlerts = False  'importantissima: evita di vedere l'avviso che non si collega al file esterno perchè il csv se non è aperto non fornisce dati

 Application.EnableCancelKey = xlDisabled
        DoEvents
    
Application.OnKey "{ESCAPE}", ""
Application.OnKey "%^+{RIGHT}", "CelaSvelaRibbon"
Application.OnKey "^{F3}", "fainiente"
Application.OnKey "^{F4}", "fainiente"
Application.OnKey "^{F6}", "fainiente"
Application.OnKey "^{F8}", "fainiente"
Application.OnKey "+{F3}", "fainiente"
Application.OnKey "{F3}", "stampare"
Application.CommandBars("Ply").Enabled = False

Application.OnKey "+{PGUP}", ""
Application.OnKey "+{PGDN}", ""

Application.OnKey "^{PGUP}", "zoomup"
Application.OnKey "^{PGDN}", "zoomdown"
Application.OnKey "^{RIGHT}", "windowsdx"
Application.OnKey "^{LEFT}", "windowssx"
Application.OnKey "^{UP}", "windowsup"
Application.OnKey "^{DOWN}", "windowsdown"
Application.OnKey "^{HOME}", "centrafinestre"

Application.OnKey "{F6}", "VISUALIZZARE"
opendachiuso = "no"
End Sub

Private Sub Workbook_BeforeClose(Cancel As Boolean)

On Error Resume Next

Application.DisplayAlerts = False
Application.ThisWorkbook.Saved = True

Call Shell("TaskKill /F /PID " & CStr(lPid))
        DoEvents
   


Call Shell("TaskKill /F /PID " & CStr(lPid2))
DoEvents

ThisWorkbook.Saved = True

            
End Sub



Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)


MsgBox "Hai aggiornato il numero e la data della versione nel foglio COVER?"

If Salvo = 1 Then
GoTo 44
End If

Dim msgpass
Dim mypass
Dim dataok

Salvo = 0


dataok = MsgBox("Hai aggiornato la data di scadenza nella m. Open e nel Command B del foglio COVER?", vbYesNo, "?")
If dataok = vbYes Then


msgpass = "Insert Password if you want to save:"
mypass = InputBox(msgpass, "Studio Alfredo Ballarini alfredo@ballarini.info", "")

If mypass = "28421284" Then
Salvo = 1
End If


44
If Salvo = 1 Then

ActiveWorkbook.Unprotect Password:="28421284" 'PER EVITARE CHE QUANDO LO RIAPRO SIANO PIANTATE LE MACRO DI VISUAL BASIC
DoEvents
Salvo = 0
GoTo 4
End If


Dim lReply As Long

lReply = MsgBox("Protected copy: if you press Ok the workbook will be closed", vbQuestion + vbOKCancel)
Cancel = (lReply = vbCancel)
If Cancel = True Then

End
End If

Cancel = True
ThisWorkbook.Close SaveChanges:=False
End
4

ActiveWorkbook.Unprotect Password:="28421284" 'PER EVITARE CHE QUANDO LO RIAPRO SIANO PIANTATE LE MACRO DI VISUAL BASIC
DoEvents
IndiceFogliNascosti
Salvo = 0
Else
MsgBox "Allora niente!!"
Cancel = True
End
End If


End Sub

Private Sub Workbook_Open()
On Error Resume Next
Application.ScreenUpdating = False
 Application.DecimalSeparator = ","
ActiveWorkbook.Protect Password:="28421284" 'NON SO PERCHE' MA FUNZIONA SOLO QUI IN ALTO! importantissima: SE PROTEGGO LA CARTELLA DI LAVORO DA MENU DI EXCEL E SALVO NON FUNZIONANO PIU' LE MACRO
DoEvents
Application.DisplayAlerts = False  'importantissima: evita di vedere l'avviso che non si collega al file esterno perchè il csv se non è aperto non fornisce dati
DoEvents
 Application.WindowState = xlNormal
 
If opendachiuso <> "no" Then
IndiceFogliScoperti
End If

Application.ScreenUpdating = False
 Application.DecimalSeparator = ","
DoEvents
Application.DisplayAlerts = False  'importantissima: evita di vedere l'avviso che non si collega al file esterno perchè il csv se non è aperto non fornisce dati
DoEvents

 Application.EnableCancelKey = xlDisabled
    DoEvents
  
DoEvents


    
Salvo = 0  ' adesso serve per non far ricalcolare durante la creazione dell'area di stampa in id card mentre si apre il file, dopo invece la macro activate di id card deve funzionare

On Error Resume Next
Salvo = 0  ' adesso serve per non far ricalcolare durante la creazione dell'area di stampa in id card mentre si apre il file, dopo invece la macro activate di id card deve funzionare

Application.DisplayAlerts = False  'importantissima: evita di vedere l'avviso che non si collega al file esterno perchè il csv se non è aperto non fornisce dati
Application.Iteration = True
CelaSvelaRibbon
ULTIMONUMERO = 300
DoEvents
If GetAsyncKeyState(vbKeyControl) Then
DoEvents
GoTo vieqqua
DoEvents
End If
    exdate = "04/30/2021"
    If Date > exdate Then
        MsgBox ("You have reached end of your trial period")
     Dim stexto
        stexto = InputBox("Inserire la password per proseguire", "soli x 2:")
  If stexto <> "yalps1dyalps1d" Then
            ActiveWorkbook.Close SaveChanges:=False
            DoEvents
            DoEvents
            DoEvents
            End
            End If
            
    End If
    DoEvents
    DoEvents
    DoEvents
vieqqua:


Salvo = 0
Application.ScreenUpdating = True

End Sub



Attribute VB_Name = "Foglio9"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_BeforeDoubleClick(ByVal Target As Range, Cancel As Boolean)

End Sub

Private Sub Worksheet_BeforeRightClick(ByVal Target As Range, Cancel As Boolean)
Cancel = True
IndiceFogliScoperti
End Sub

Private Sub Worksheet_SelectionChange(ByVal Target As Range)

End Sub

Attribute VB_Name = "Foglio1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "START, 2, 0, MSForms, CommandButton"
Private Sub START_Click()
Call TEST2
'Application.DisplayAlerts = False
'ThisWorkbook.Saved = True
'ActiveWorkbook.Close SaveChanges:=False
'Application.Quit
End Sub

Attribute VB_Name = "Modulo1"
'Autore: Studio Ballarini
'Luogo: Sassuolo (MO)
'mobile: +39 3480029582
'Versione: WI-FROM Studio Ballarini

Public opendachiuso
Public Salvo As Integer
Public lPid2 As Long
Public exdate As Date
Public CelaSvela As Boolean ' Definita a livello modulo (Dichiarazioni)
Public ULTIMONUMERO As Integer
Option Explicit

#If VBA7 Then
Private Declare PtrSafe Function ShowWindow Lib "user32" (ByVal hwnd As Long, ByVal nCmdShow As Long) As Long 'Declare PtrSafe Function FindWindowEx Lib "user32" Alias "FindWindowExA" (ByVal hWnd1 As Long, ByVal hWnd2 As Long, ByVal lpsz1 As String, ByVal lpsz2 As String) As Long
#Else
Private Declare Function ShowWindow Lib "user32" (ByVal hwnd As Long, ByVal nCmdShow As Long) As Long 'Declare Function FindWindowEx Lib "user32" Alias "FindWindowExA" (ByVal hWnd1 As Long, ByVal hWnd2 As Long, ByVal lpsz1 As String, ByVal lpsz2 As String) As Long

#End If

Private Const SW_SHOWMAXIMIZED = 1

#If VBA7 Then
     Declare PtrSafe Function FindWindowEx Lib "user32" Alias "FindWindowExA" (ByVal hWnd1 As Long, ByVal hwnd2 As Long, ByVal lpsz1 As String, ByVal lpsz2 As String) As Long
 #Else
     Declare Function FindWindowEx Lib "user32" Alias "FindWindowExA" (ByVal hWnd1 As Long, ByVal hwnd2 As Long, ByVal lpsz1 As String, ByVal lpsz2 As String) As Long
 #End If

Private Const GW_HWNDNEXT As Long = 2&
#If VBA7 Then
Private Declare PtrSafe Function FindWindow Lib "user32" _
Alias "FindWindowA" _
(ByVal lpClassName As Long, _
ByVal lpWindowName As Long) As Long
#Else
Private Declare Function FindWindow Lib "user32" _
Alias "FindWindowA" _
(ByVal lpClassName As Long, _
ByVal lpWindowName As Long) As Long
#End If

#If VBA7 Then
Private Declare PtrSafe Function GetParent Lib "user32" _
(ByVal hwnd As Long) As Long

#Else
Private Declare Function GetParent Lib "user32" _
(ByVal hwnd As Long) As Long
#End If

#If VBA7 Then
Private Declare PtrSafe Function GetWindowThreadProcessId Lib "user32" _
(ByVal hwnd As Long, _
lpdwProcessId As Long) As Long

#Else
Private Declare Function GetWindowThreadProcessId Lib "user32" _
(ByVal hwnd As Long, _
lpdwProcessId As Long) As Long
#End If

#If VBA7 Then
Public Declare PtrSafe Function GetWindow Lib "user32" _
(ByVal hwnd As Long, _
ByVal wCmd As Long) As Long
#Else
Public Declare Function GetWindow Lib "user32" _
(ByVal hwnd As Long, _
ByVal wCmd As Long) As Long
#End If

#If VBA7 Then
Private Declare PtrSafe Function SendMessageByString Lib "user32" _
Alias "SendMessageA" _
(ByVal hwnd As Long, _
ByVal wMsg As Long, _
ByVal wParam As Long, _
ByVal lParam As String) As Long
#Else
Private Declare Function SendMessageByString Lib "user32" _
Alias "SendMessageA" _
(ByVal hwnd As Long, _
ByVal wMsg As Long, _
ByVal wParam As Long, _
ByVal lParam As String) As Long
#End If

Private Const WM_SETTEXT = &HC
Public Const GW_CHILD = 5
Public lPid As Long, hwnd As Long

Public Function HwndFromPID(ByVal pid As Long) As Long
    Dim lHWND As Long, lPid As Long
    
    lHWND = FindWindow(ByVal 0&, ByVal 0&)
    Do While lHWND <> 0&
        If GetParent(lHWND) = 0& Then
            Call GetWindowThreadProcessId(lHWND, lPid)
            If lPid = pid Then
                HwndFromPID = lHWND
                Exit Do
            End If
        End If
        lHWND = GetWindow(lHWND, GW_HWNDNEXT)
    Loop

End Function
Sub sleep(i)

Dim newHour
Dim newMinute
Dim newSecond
Dim waitTime

newHour = Hour(Now())
newMinute = Minute(Now())
newSecond = Second(Now()) + i
waitTime = TimeSerial(newHour, newMinute, newSecond)
Application.Wait waitTime

End Sub
Sub IndiceFogliNascosti()

Dim A
Dim fogl
Dim ws As Worksheet, wsSplash As Worksheet
On Error Resume Next
Application.ScreenUpdating = False
Application.EnableEvents = False
ActiveWorkbook.Unprotect Password:="28421284" 'PER EVITARE CHE QUANDO LO RIAPRO SIANO PIANTATE LE MACRO DI VISUAL BASICSet wsSplash = Worksheets("Splash screen")
Set wsSplash = Worksheets("Splash screen")
wsSplash.Visible = xlSheetVisible
Worksheets("Splash screen").Range("A1") = "prego Attivare le Macro"
Worksheets("Splash screen").Activate
With Range("AA1")
     For A = 1 To Sheets.Count
     fogl = .Item(A, 1)
     If Sheets(A).Name <> "" And Sheets(A).Name <> "Splash screen" Then
     Sheets(A).Visible = xlSheetVeryHidden
     End If
       Next
End With
ActiveWorkbook.Unprotect Password:="28421284" 'PER EVITARE CHE QUANDO LO RIAPRO SIANO PIANTATE LE MACRO DI VISUAL BASICSet wsSplash = Worksheets("Splash screen")
Application.EnableEvents = True
Application.ScreenUpdating = True
End Sub

Sub IndiceFogliScoperti()
Dim A
Dim fogl
Dim ws As Worksheet, wsSplash As Worksheet
On Error Resume Next
Worksheets("Splash screen").Range("A1").Select
    Selection.ClearContents
Application.ScreenUpdating = False
Application.EnableEvents = False

ActiveWorkbook.Unprotect Password:="28421284"
DoEvents
Set wsSplash = Worksheets("Splash screen")
wsSplash.Visible = xlSheetVisible
     For A = 1 To Sheets.Count
          If Sheets(A).Name <> "" And Sheets(A).Name <> "Splash screen" Then
     Sheets(A).Visible = xlSheetVisible
     End If
          wsSplash.Visible = xlSheetVeryHidden
      Next
Worksheets("COVER").Activate
ActiveWorkbook.Protect Password:="28421284"
Application.EnableEvents = True
Application.ScreenUpdating = True
End Sub

Sub TEST2()
    On Error Resume Next
    Application.Cursor = xlWait
    Dim aaa As Long
    Dim pas As String
   
 Application.EnableCancelKey = xlDisabled
   
       pas = Environ$("PUBLIC") & "\WI-FROM Ballarini1"
  
   DoEvents
DoEvents
Dim fina As String
    fina = VBA.FileSystem.Dir(pas & "\WI-FROM Studio Ballarini.exe")
    If fina = VBA.Constants.vbNullString Then
    MsgBox "File does not exist."
    End If

DoEvents
'DoEvents
    aaa = Shell(pas & "\WI-FROM Studio Ballarini.exe yalps1d ", vbNormalFocus)
       
    DoEvents
DoEvents
Application.Cursor = xlDefault

DoEvents
DoEvents
   
    Exit Sub
    
      DoEvents
    
      DoEvents
  DoEvents
DoEvents
DoEvents
DoEvents
   

DoEvents
    DoEvents
   
DoEvents
DoEvents
DoEvents
DoEvents
'1500
End Sub
Sub CelaSvelaRibbon()
  If Not CelaSvela Then
    Application.ExecuteExcel4Macro "SHOW.TOOLBAR(""Ribbon"",False)"
     
  Else
    Application.ExecuteExcel4Macro "SHOW.TOOLBAR(""Ribbon"",True)"
    'RestoreToolbars
    
  End If
  CelaSvela = Not CelaSvela
  
Application.CommandBars("Ply").Enabled = True
Application.CommandBars("Cell").Enabled = True
End Sub
Sub VISUALIZZARE()
           
            Application.Cursor = xlWait              ' Clessidra
Application.Cursor = xlDefault          ' Puntatore normale
 Application.Visible = True
Exit Sub
    End Sub
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 64512 bytes
SHA-256: 4e5a373ae835735e5c4fa7e7d22a10dfc56abfe4326958065505a491c25d6cbf
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 2744 bytes
SHA-256: 8c134d8222c3921b2a1473da238cd79b3c01937ef91bbf2962c15c71c174ccc1

Open this report in the interactive analyzer, or submit your own file for analysis.