Office (OOXML) malware analysis — malicious · b65566e05d887d80

MALICIOUS

Office (OOXML)

26.4 KB Created: 2021-08-18 02:04:39 UTC Authoring application: Microsoft Excel 16.0300

MD5: 3d45c1f829da8263ca4b3333abc0517c SHA-1: 17ae7e09a2c19c5d146aeacbed82204425e2f8a6 SHA-256: b65566e05d887d80c9caca129f483f805d298f709ef20874eac095c19c458da6

610 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample contains VBA macros that execute upon opening, leveraging WScript.Shell and CreateObject to download a second-stage payload from a hardcoded URL. The script then saves the downloaded content to disk as 'Details.dat' and 'LeakDetails.dat' in the temporary directory, indicating an attempt to execute further malicious code. The document body content, referencing 'Password Leaked', serves as a lure to trick the user into interacting with the malicious content.

Heuristics 14

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL

VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
ClamAV: Doc.Downloader.Valyria-10026858-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Valyria-10026858-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://ec2-18-184-17-12.eu-central-1.compute.amazonaws.com/standardchartered/passleak/180821/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `1cbfcded1b86d20c6f05a8dd13d479335b01c5dedb40b7a80900eed07d182383`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	4717 bytes
`vbaProject_00.bin` `5992f97af3643038923844f1d84a2c6e21383bc226c632a5563bcb9ac9f5cd34`	vba-project	OOXML VBA project: xl/vbaProject.bin	18432 bytes
Detection ClamAV: Doc.Downloader.Valyria-10026858-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.