Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b2d7ab0b0ca10118…

MALICIOUS

Office (OOXML)

52.9 KB Created: 2021-07-14 10:20:57 UTC Authoring application: Microsoft Excel 16.0300
MD5: fa0145fdbd072310e3b3d0110479c516 SHA-1: 7da45a9f99f66caf737cebb7c134091e1ca5d89e SHA-256: b2d7ab0b0ca1011845de79d9ba9693b7b89e640d8c543a1d100f505f17ca264f
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The file is an Excel document containing a Workbook_Open macro that references PowerShell and cmd.exe. The extracted VBA script implements a RunPE technique using Windows API calls, as described in the script's comments and its GitHub repository. This technique is commonly used to inject and execute malicious code, suggesting the sample acts as a downloader for a second-stage payload.

Heuristics 5

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://github.com/itm4n/VBA-RunPE
    • https://github.com/hasherezade/
    • https://www.nirsoft.net/kernel_struct/vista/IMAGE_DOS_HEADER.html
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680305(v=vs.85).aspx
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680313(v=vs.85).aspx
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms680339(v=vs.85).aspx
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680336(v=vs.85).aspx
    • https://www.nirsoft.net/kernel_struct/vista/IMAGE_SECTION_HEADER.html
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms684873(v=vs.85).aspx
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms686331(v=vs.85).aspx
    • https://www.nirsoft.net/kernel_struct/vista/FLOATING_SAVE_AREA.html
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms679284(v=vs.85).aspx
    • https://www.nirsoft.net/kernel_struct/vista/IMAGE_DOS_HEADER.html�

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
694def1a5579987a4af449f6304390e02834721c4ba83f17d9ddf4b2ddb66f60		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 53674 bytes
vbaProject_00.bin
6b993b4fcc1abec804fc6c833461f72e24fe063debc8af28eec9ead77b6ce139		 vba-project OOXML VBA project: xl/vbaProject.bin 109056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.