Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b8f422c6e0ee2ec7…

MALICIOUS

Office (OOXML)

150.6 KB Created: 2019-12-22 22:00:08 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2021-11-21
MD5: ab3da47be32063b80eed6bbb3196fc12 SHA-1: 15937468e7599791e4ede8614591637b87b1fffd SHA-256: b8f422c6e0ee2ec7fd6fb160a8c9e8dd5aed7e03ac4ec60a6c260cf3648de877
318 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The sample contains obfuscated VBA macros designed to execute automatically upon opening the document, indicated by the Workbook_Open and auto-exec loader heuristics. The script utilizes `Shell()` and `CreateObject` calls, suggesting it attempts to download and execute a second-stage payload. The document body contains what appears to be SAP system credentials and URLs, potentially used for credential harvesting or to lure the user into a false sense of legitimacy.

Heuristics 10

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: .
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://github.com/VBA-tools/VBA-JSON Document hyperlink
    • http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.aspDocument hyperlink
    • https://github.com/VBA-tools/VBA-JSON/pull/82Document hyperlink
    • https://github.com/VBA-tools/VBA-UtcConverterDocument hyperlink
    • https://my301215.s4hana.ondemand.com/sap/opu/odata4/sap/api_electronicdocfile/srvd_a2x/sap/electronicdocfile/0001/ElectronicDocFileDocument hyperlink
    • https://my301215.s4hana.ondemand.com/sap/opu/odata/sap/API_CV_ATTACHMENT_SRVDocument hyperlink
    • https://my301180.s4hana.ondemand.com/sap/opu/odata4/sap/api_electronicdocfile/srvd_a2x/sap/electronicdocfile/0001/ElectronicDocFileDocument hyperlink
    • https://my301215.s4hana.ondemand.com/sap/opu/odata/sap/API_CV_ATTACHMENT_SRV/AttachmentContentSetDocument hyperlink
    • http://www.opensource.org/licenses/mit-license.phpDocument hyperlink
    • http://code.google.com/p/vba-json/Document hyperlink
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspxDocument hyperlink
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspxDocument hyperlink
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspxDocument hyperlink
    • http://support.microsoft.com/kb/269370Document hyperlink
    • http://www.ietf.org/rfc/rfc4627.txtDocument hyperlink
    • https://support.microsoft.com/en-us/kb/272138Document hyperlink
    • http://www.opensource.org/licenses/mit-license.php)�Document hyperlink

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 62748 bytes
SHA-256: ae5240b8a0469d59cd0baed63194072034c46076c0ef47a9f789fc526903b587
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Questa_cartella_di_lavoro"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()

End Sub

Attribute VB_Name = "Foglio3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Foglio1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "GET_eDocument_but, 3, 0, MSForms, CommandButton"
Private Sub GET_eDocument_but_Click()

    Call GET_eDocument
    
End Sub


Attribute VB_Name = "JsonConverter"
''
' VBA-JSON v2.3.1
' (c) Tim Hall - https://github.com/VBA-tools/VBA-JSON
'
' JSON Converter for VBA
'
' Errors:
' 10001 - JSON parse error
'
' @class JsonConverter
' @author tim.hall.engr@gmail.com
' @license MIT (http://www.opensource.org/licenses/mit-license.php)
'' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ '
'
' Based originally on vba-json (with extensive changes)
' BSD license included below
'
' JSONLib, http://code.google.com/p/vba-json/
'
' Copyright (c) 2013, Ryo Yokoyama
' All rights reserved.
'
' Redistribution and use in source and binary forms, with or without
' modification, are permitted provided that the following conditions are met:
'     * Redistributions of source code must retain the above copyright
'       notice, this list of conditions and the following disclaimer.
'     * Redistributions in binary form must reproduce the above copyright
'       notice, this list of conditions and the following disclaimer in the
'       documentation and/or other materials provided with the distribution.
'     * Neither the name of the <organization> nor the
'       names of its contributors may be used to endorse or promote products
'       derived from this software without specific prior written permission.
'
' THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
' ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
' WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
' DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
' DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
' (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
' LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
' ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
' (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
' SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ '
Option Explicit

' === VBA-UTC Headers
#If Mac Then

#If VBA7 Then

' 64-bit Mac (2016)
Private Declare PtrSafe Function utc_popen Lib "/usr/lib/libc.dylib" Alias "popen" _
    (ByVal utc_Command As String, ByVal utc_Mode As String) As LongPtr
Private Declare PtrSafe Function utc_pclose Lib "/usr/lib/libc.dylib" Alias "pclose" _
    (ByVal utc_File As LongPtr) As LongPtr
Private Declare PtrSafe Function utc_fread Lib "/usr/lib/libc.dylib" Alias "fread" _
    (ByVal utc_Buffer As String, ByVal utc_Size As LongPtr, ByVal utc_Number As LongPtr, ByVal utc_File As LongPtr) As LongPtr
Private Declare PtrSafe Function utc_feof Lib "/usr/lib/libc.dylib" Alias "feof" _
    (ByVal utc_File As LongPtr) As LongPtr

#Else

' 32-bit Mac
Private Declare Function utc_popen Lib "lib
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 157184 bytes
SHA-256: eb831cd07dd5d4769116b356b5ec6edb03aa44fe8b548cb125a6ded4f26a4c62
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 1604 bytes
SHA-256: da73506e63f25f6a1522947231019d395582aed58683ab11f29310571f21e935

Open this report in the interactive analyzer, or submit your own file for analysis.