Office (OOXML) malware analysis — malicious · abc24dbd100a6b5e

MALICIOUS

Office (OOXML)

28.5 KB Created: 2021-08-18 02:04:39 UTC Authoring application: Microsoft Excel 16.0300

MD5: 1c4938de1235a18bbaba0b4b921a89dc SHA-1: 672352010e739d1bc739f67790cced6b42d9a8e1 SHA-256: abc24dbd100a6b5edff0509164f4b07f9feb747f1bd0310c14f7597f0d1a7c30

610 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information T1204.002 Malicious File T1071.001 Web Protocols T1105 Ingress Tool Transfer

The sample contains VBA macros that execute automatically upon opening. These macros utilize WScript.Shell and CreateObject to download a file from a specified URL, save it as 'Details.dat' in the temporary directory, and then likely execute it. The document body content, referencing account information and security alerts, serves as a lure to encourage user interaction. The presence of obfuscated shell commands and WMI process creation further indicates malicious intent.

Heuristics 14

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL

VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
ClamAV: Doc.Downloader.Valyria-10026858-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Valyria-10026858-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://ec2-18-184-17-12.eu-central-1.compute.amazonaws.com/standardchartered/employees/incident/180821/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `d86d9034a6d00437cd4f6d8b3bdb4a601d81739706e2439a5614001d05884490`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	4726 bytes
`vbaProject_00.bin` `ac1c934a4d9b7ac27815bbd87708a26fa801bda9c8b0d223f577a6749953cb7f`	vba-project	OOXML VBA project: xl/vbaProject.bin	18432 bytes
Detection ClamAV: Doc.Downloader.Valyria-10026858-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.