Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 a86c2681334c254d…

MALICIOUS

Office (OOXML)

4.96 MB Created: 2020-05-12 18:53:24 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-10-04
MD5: 09bbc68abbc0ce1a7549a053b8eda88c SHA-1: 34dacc5c84429f28e0e56534c67ae23fa8555b9c SHA-256: a86c2681334c254d7742d95b9011cc505b9910a2e684a033be0a741cc8687bed
350 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is an Excel document containing a Workbook_Open macro. This macro calls a subroutine that, based on the username, executes a PowerShell command. Critical heuristics indicate the use of Shell() and WScript.Shell, along with a direct PowerShell reference, strongly suggesting the execution of a malicious payload. The macro's logic appears to be designed to download and execute a second-stage payload, likely via PowerShell, after performing some document-related operations.

Heuristics 10

  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in xl/drawings/_rels/drawing1.xml.rels: cid:image001.png@01D62942.4C0FC2D0
  • External hyperlinks (3) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 3 external hyperlinks — clickable URLs are stored as external relationships. First target: https://www.eia.gov/petroleum/supply/weekly/schedule.php
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.eia.gov/petroleum/supply/weekly/schedule.php Document hyperlink

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34076 bytes
SHA-256: ef1d5f1053fa602f0aa0aec2202e68ce4d859fbf38342b3bcb3af8ac7a664466
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
    Run "StartTimer"
End Sub

Attribute VB_Name = "Sheet17"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet18"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub StartTimer()
Dim strUserName As String

    strUserName = Application.UserName
    If (LCase(strUserName) = "svcmarke") Then
        'MsgBox ("You are logged in as: " & strUserName)
        Application.OnTime TimeValue("09:57:05"), "RunFullProcess"
    End If
    
End Sub
Sub RunFullProcess()
On Error GoTo Err_RunFullProcess

Dim sht As Worksheet

    RefreshStorageModelFile  'Day of refresh is updated in lookups tab
    
    RefreshICE
    
    UpdateLinks
    
    UpdateSupplyTrackingTool
    
    'UpdateTabs

    Calculate
    
    'ProcessForecastDailyChange

    'HardCodePriorForecast
    
    'ProcessUS10History
    
    'Calculate
    
    MovePDFFiles
    
    CreatePDFFile
    
    'Put a check here to see if all dates have been updated
    'AF1
    Set sht = Sheets("Report")
    sht.Activate
    
    Calculate
    
    CreateSnapShots
    
    If (Range("V1").Value = 17) Then
        SendEmail   'Success
    Else
        SendFailureEmail
    End If
    
    ActiveWorkbook.Save
    
    CloseApplication
    
Exit_RunFullProcess:
    Exit Sub
Err_RunFullProcess:
    MsgBox ("Error in RunFullProcess: " & Err.Description)
    Resume Exit_RunFullProcess
End Sub

Sub UpdateWCSBProcess()
On Error GoTo Err_UpdateWCSBProcess

    UpdateSupplyTrackingTool

Exit_UpdateWCSBProcess:
    Exit Sub
Err_UpdateWCSBProcess:
    MsgBox ("Error in UpdateWCSBProcess: " & Err.Description)
    Resume Exit_UpdateWCSBProcess
End Sub

Sub UpdateSupplyTrackingTool()
On Error GoTo Err_UpdateSupplyTrackingTool

Debug.Print "Open Supply Tracking Tool 3.0"
Workbooks.Open Filename:="\\encana.com\dnvshared\GasMarketing\FUNDAMENTALS\Natural Gas\Supply\Supply Tracking Tool\Supply Tracking Tool 3.0.xlsm", UpdateLinks:=True, ReadOnly:=True

Windows("SignpostReport.xlsm").Activate

Debug.Print "Check2"
Worksheets("NA Production").Activate

Debug.Print "Check3"
Range("C11").Select

Debug.Print "Check4"
Calculate

Debug.Print "Check5"
Windows("SignpostReport.xlsm").Activate
ThisWorkbook.Save

Debug.Print "Close Supply Tracking Tool 3.0"

Windows("Supply Tracking Tool 3.0.xlsm").Activate
Workbooks("Supply Tracking Tool 3.0.xlsm").Close SaveChanges:=False

Debug.Print "Done Refreshing links to Supply Tracking Tool 3.0"
Windows("SignpostReport.xlsm").Activate

Exit_UpdateSupplyTrackingTool:
    Exit Sub
Err_UpdateSupplyTrackingTool:
    MsgBox ("Error in UpdateSupplyTrackingTool: " & Err.Description)
    Resume Exit_UpdateSupplyTrackingTool
End Sub

Sub UpdateLinks()
On Error GoTo Err_UpdateLinks
  
'Update links
Debug.Print "Check1"
ActiveWorkbook.UpdateLink Name:= _
        "\\encana.com\dnvshared\GasMarketing\FUNDAMENTALS\Outlook Development\2021-03 - Spring Forecast\IT7\Phoenix\Model\2021-01 - Spring Forecast - Gas Production - IT7.xlsm" _
        , Type:=xlExcelLinks
Debug.Print "Check2"
ActiveWorkbook.UpdateLink Name:= _
        "\\encana.com\dnvshared\GasMarketing\FUNDAMENTALS\Outlook Development\2021-03 - Spring Forecast\IT7\Phoenix\Model\202
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 125952 bytes
SHA-256: f6f37da3da18398f4aeb55821b74101d94d020a460a79de248f65d3e2a24a0f7