Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ac88d098055387ee…

MALICIOUS

Office (OOXML)

242.7 KB Created: 2019-11-07 16:38:16 UTC Authoring application: Microsoft Excel 16.0300
MD5: 8c9968dacdb2410e0ae32a4fda924877 SHA-1: 8e6a44b1973a38e3db83831eef3f8858aa496ec7 SHA-256: ac88d098055387ee896048d35cd5dc153ee2ae63737aaae0d923584fd8ad4592
402 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is an Excel document containing a Workbook_Open VBA macro that is heavily obfuscated. This macro utilizes URLDownloadToFile to download components from GitHub URLs, likely to install a malicious add-in. The presence of Shell() and CreateObject calls further indicates execution of arbitrary code. The overall behavior suggests a downloader or installer for a more complex malicious payload.

Heuristics 10

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://api.github.com/repos/quickfs/quickfs-excel-addin/releases
    • https://github.com/quickfs/quickfs-excel-addin/releases/download
    • https://github.com/VBA-tools/VBA-Web
    • https://github.com/timhall/VBA-Dictionary
    • https://github.com/VBA-tools/VBA-Web/wiki/XML-Support-in-4.0
    • https://github.com/VBA-tools/VBA-Web/wiki/Url-Encoding
    • http://www.di-mgt.com.au/src/basMD5.bas.html
    • https://github.com/VBA-tools/VBA-JSON
    • http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.asp
    • https://github.com/VBA-tools/VBA-JSON/pull/82
    • https://github.com/VBA-tools/VBA-UtcConverter
    • https://api.example/com/v1/messages/123
    • https://github.com/quickfs/quickfs-excel-addin/releases/download�
    • https://github.com/VBA-tools/VBA-Web��p
    • https://github.com/VBA-tools/VBA-WebndleCa�
    • https://github.com/VBA-tools/VBA-WebT
    • https://quickfs.net/using-the-excel-add-in
    • http://www.opensource.org/licenses/mit-license.php
    • http://msdn.microsoft.com/en-us/library/office/gg278481(v=office.15).aspx
    • https://stackoverflow.com/questions/10612502/error-when-closing-an-opened-workbook-in-vba-userform
    • https://api.example.com/
    • https://api.example.com/messages
    • https://api.example.com/messages/123?a=1&b=2
    • https://tools.ietf.org/html/rfc6265
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspx
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspx
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspx
    • http://support.microsoft.com/kb/269370
    • https://api.example.com/v1/
    • https://api.example.com/v1/peeple/{id
    • https://tools.ietf.org/html/rfc3986
    • https://www.w3.org/TR/html5/forms.html#application/x-www-form-urlencoded-encoding-algorithm
    • https://www.w3.org/International/URLUTF8Encoder.java
    • https://www.google.com/a/b/c.html?a=1&b=2#hash
    • http://stackoverflow.com/questions/8246340/does-vba-have-a-hash-hmac
    • http://code.google.com/p/vba-json/
    • http://www.ietf.org/rfc/rfc4627.txt
    • https://support.microsoft.com/en-us/kb/272138
    • https://groups.google.com/d/msg/microsoft.public.winhttp/ZeWN2Xig82g/jgHIBDSfBwsJ
    • http://curl.haxx.se/libcurl/c/libcurl-errors.html
    • https://www.example.com/api/
    • https://api.example.com/v1/messages
    • https://api.example.com/v1/users/id
    • https://msdn.microsoft.com/en-us/library/aa383770(VS.85).aspx
    • https://api.example.com/v1/messages/1
    • http://msdn.microsoft.com/en-us/library/windows/desktop/aa384059(v=vs.85).aspx
    • http://www.opensource.org/licenses/mit-license.php)�
    • http://www.opensource.org/licenses/mit-license.php�
    • http://msdn.microsoft.com/en-us/library/office/gg278481(v=office.15).aspx�
    • https://tools.ietf.org/html/rfc6265�
    +1 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d76533087bdb73372ce3b94da10e017757116e81449bd7c0b2d6e283945476fc		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 278377 bytes
vbaProject_00.bin
b10598d8810c1862750f2b1cad4c21ddaef380dcd61c11b6656d4243f1db72ef		 vba-project OOXML VBA project: xl/vbaProject.bin 530944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.