Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ada74dfa3d530945…

MALICIOUS

Office (OOXML)

84.7 KB Created: 2014-06-13 08:24:54 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-09-24
MD5: 3d41dc70d30410fdbdb88e187b5e1f5f SHA-1: 4fe87f8ffaefa1c621610bc7a60818657fc5389e SHA-256: ada74dfa3d530945200d98f1fd9d5cf01965c069bf299e197ca991f4a0d4a037
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1127.001 Trusted Developer Utilities: Code Signing T1203 Exploitation for Client Execution

The file is an Excel document containing VBA macros, as indicated by the OOXML_VBA heuristic and the presence of the macros.bas script. The SE_ENABLE_LURE heuristic suggests the document is designed to trick users into enabling macros. The OLE_VBA_CREATEOBJ heuristic indicates the macro attempts to execute code, likely to download and run a second-stage payload. ClamAV detection further confirms its malicious nature.

Heuristics 4

  • ClamAV: Doc.Dropper.Agent-9253760-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-9253760-0
  • VBA project inside OOXML medium 1 related finding OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 36501 bytes
SHA-256: b434150478c2d3dbf4d22859904de5368711bbcbc80fd758148a3d956b0fd9bf
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Feuil1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Feuil2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Feuil3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Const ongletSal = "Import des salariés"
Const ISligDeb = 2
Const IScolNom = 1
Const IScolPrenom = 2
Const IScolNIR = 3
Const IScolFA = 4
Const IScolDC = 5
Const IScolCSP = 6
Const IScolTxH = 7
Const IScolQte = 8
Const IScolNbH = 9
Const IScolAcop = 10

Const ongletH = "Import des heures"
Const IHligDeb = 3
Const IHcolNIR = 1
Const IHcolS1 = 2
Const IHcolS2 = 3
Const IHcolS3 = 4
Const IHcolS4 = 5
Const IHcolS5 = 6
Const IHcolTh = 7
Const IHcolDP1 = 8
Const IHcolDP2 = 9
Const IHcolDP3 = 10
Const IHcolDP4 = 11
Const IHcolDP5 = 12
Const IHcolMH = 13
Const IHcolMC = 14
Const IHcolFA = 16
Const IHcolDC = 17
Const IHcolNP = 18
Const IHcolEC = 19


Const ongletScr = "Création fichiers"
Const SCRligExpSal = 4
Const SCRcolExpSal = 3
Const SCRcolExpSalFic = 4
Const SCRligExpHeu = 5
Const SCRcolExpHeu = 3
Const SCRcolExpHeuFic = 4

Const dureeTravHebdoMin = 35
Const dureeTravHebdoMax = 78
Const dureeTravMensMin = 151.67
Const dureeTravMensMax = 208

' ------------------------------------------------------------------------------
' CREER LES FICHIERS D'IMPORT
' ------------------------------------------------------------------------------
Sub exportXML()
Dim cptS As String
Dim cptH As String
cptS = ""
cptH = ""

Worksheets(ongletScr).Cells(SCRligExpHeu + 2, 3).Value = "0 fichier 'salariés' créé"
Worksheets(ongletScr).Cells(SCRligExpHeu + 3, 3).Value = "0 fichier 'heures' créé"

If Worksheets(ongletScr).Cells(SCRligExpSal, SCRcolExpSal).Value = "O" Then
    cptS = exporterSalaries
End If
If Worksheets(ongletScr).Cells(SCRligExpHeu, SCRcolExpHeu).Value = "O" Then
    cptH = exporterHeures
End If
MsgBox ("Le traitement est terminé." + cptS + cptH)

End Sub


' ------------------------------------------------------------------------------
' CREER LE FICHIER D'IMPORT DES SALARIES AU FORMAT XML
' ------------------------------------------------------------------------------
Function exporterSalaries() As String

    Dim balRoot As String
    Dim balList  As String
    Dim balSal  As String
    Dim balSalNom  As String
    Dim balSalPrenom  As String
    Dim balSalNir  As String
    Dim balSalFA  As String
    Dim balSalDC  As String
    Dim balSalCSP  As String
    Dim balSalTxH  As String
    Dim balSalQte  As String
    Dim balSalNbH  As String
    
    Dim numfic As Integer
    Dim nomfic As String
    Dim nbSal As Integer
    Dim nbSalLus As Long
    Dim lig As Integer
    Dim fic As Variant
    
     balRoot = "FICHIER"
     balList = "LISTESALARIE"
     balSal = "SALARIE"
     balSalNom = "SALNOM"
     balSalPrenom = "SALPRENOM"
     balSalNir = "SALCODENIR"
     balSalFA = "DISFORMEAMENAGEMENT"
     balSalDC = "DISDUREECONTRACT"
     balSalCSP = "SALCSP"
     balSalTxH = "DISTXHORAIRE"
     balSalQte = "QUOTITE"
  
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 76800 bytes
SHA-256: d2c94d54a8c9d2d76fc1015cc0ea346e770cac57be94458e1d1380adbf8502f5

Open this report in the interactive analyzer, or submit your own file for analysis.