Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 bd3d26f3ab5949bb…

MALICIOUS

Office (OOXML)

592.3 KB Created: 2011-05-31 17:44:04 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-10-12
MD5: b6185d16033579bf5fbd0dbfcb54a9b5 SHA-1: 8c58826f1efbcf01376348a031fd31a7368be9bc SHA-256: bd3d26f3ab5949bbe578b4aa44735dc4771b652acf44974799bcdddd4e1f8e0a
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is identified as malicious by ClamAV and contains VBA macros, indicating it's likely a macro-based dropper. The VBA code attempts to run a function from an external XLA file named 'DutoanGXD.xla', suggesting it's designed to download and execute a secondary payload. The presence of an Equation Editor OLE object also points to potential exploitation.

Heuristics 7

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • ClamAV: Doc.Dropper.Valyria-6680506-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Valyria-6680506-0
  • External relationship high OOXML_EXTERNAL_REL
    External target in xl/externalLinks/_rels/externalLink1.xml.rels: file:///C:\Du toan GXD_1012\DutoanMau\DutoanGXD-anh Truong.xlt
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 44 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://giaxaydung.vn OOXML external relationship

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 30919 bytes
SHA-256: 5b31b215e036dcd2a268f64b080eca6ac58d839cb40fe1fee6df850d6ffaeeec
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_SheetBeforeRightClick(ByVal Sh As Object, ByVal Target As Range, Cancel As Boolean)
 On Error Resume Next
 If (istpWorkbookOpen("DutoanGXD.xla") = True) Then
     Cancel = False
     If (ActiveSheet.CodeName = "shDTXD") Then
        If Target.Column = ThisWorkbook.Names("DTXD_MH").RefersToRange.Column Or Target.Column = ThisWorkbook.Names("DTTB_MH").RefersToRange.Column Then
        Cancel = True
            Application.Run "'DutoanGXD.xla'!timkiemdg", 1, 1
            Exit Sub
        End If
        
    End If
    If ActiveSheet.CodeName = "shDGCTXD" Or ActiveSheet.CodeName = "shDGCTTB" Then
        If Target.Column = ThisWorkbook.Names("CTXD_DG").RefersToRange.Column Or Target.Column = ThisWorkbook.Names("CTTB_DG").RefersToRange.Column Then
         
           Cancel = True
             Application.Run "'DutoanGXD.xla'!RightClick_DGCT", Target.Row, Target.Column
             Exit Sub
        End If
    End If
    If ActiveSheet.CodeName = "shTHXD" Or ActiveSheet.CodeName = "shTHTB" Then
        If Target.Column = ThisWorkbook.Names("THXD_MSVT").RefersToRange.Column Then
           Cancel = True
            Application.Run "'DutoanGXD.xla'!GXDPRunTracuu4"
            Exit Sub
        End If
    End If
    If ActiveSheet.CodeName = "shVLHTXD" Or ActiveSheet.CodeName = "shVLHTTB" Then
        If Target.Column = ThisWorkbook.Names("VLXD_MH").RefersToRange.Column Or Target.Column = ThisWorkbook.Names("VLTB_MH").RefersToRange.Column Then
           Cancel = True
          
            Application.Run "'DutoanGXD.xla'!GXDPRunTracuu4"
            Exit Sub
        End If
    End If
    If ActiveSheet.CodeName = "shPLVXD" Or ActiveSheet.CodeName = "shPLVTB" Then
        If Target.Column = ThisWorkbook.Names("PLVTB_MVT").RefersToRange.Column Or Target.Column = ThisWorkbook.Names("PLVXD_MVT").RefersToRange.Column Then
        
           Cancel = True
          
            Application.Run "'DutoanGXD.xla'!GXDPRunTracuu4"
            Exit Sub
        End If
    End If
    If ActiveSheet.CodeName = "Sheet10" Then
    
        If Target.Column = 3 Then
            Cancel = True
        
            Application.Run "'DutoanGXD.xla'!TraMaCPVTVB", Target.Row, Target.Column - 1
            Exit Sub
        End If
    End If

    If ActiveSheet.CodeName = "Sheet4" Then
         If Target.Column = 2 Then
           Cancel = True
           
            Application.Run "'DutoanGXD.xla'!TraMaCPVTVB", Target.Row, Target.Column
            Exit Sub
        End If
    End If
    If ActiveSheet.CodeName = "Sheet14" Then
        If Target.Column = 4 Then
           Cancel = True
          
            Application.Run "'DutoanGXD.xla'!SeachDlgDGVB", Target.Row, Target.Column - 1
        End If
    End If

    If ActiveSheet.CodeName = "Sheet11" Then
    
        If Target.Column = 3 Then
            Cancel = True
        
            Application.Run "'DutoanGXD.xla'!TraMaCPVTVB", Target.Row, Target.Column - 1
            Exit Sub
        End If
    End If
    Application.Run "'DutoanGXD.xla'!RightClickSheet"
    
  End If
End Sub

Attribute VB_Name = "shConfig"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "shTS"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
At
... (truncated)
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 2560 bytes
SHA-256: ea88d9a16d6e50171fb2507acb2e2ccb1df4365fd833297905e93ea19edf82c4
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 116736 bytes
SHA-256: 384058d93883a8c15554b347ea387c9fe1243dab456876bdd472b5a15efc3017
Detection
ClamAV: Doc.Dropper.Valyria-6680506-0
Obfuscation or payload: unlikely
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 5532 bytes
SHA-256: 201a489cbc151425b8dbdf6db55b930c0064ddc83826ca33e1db63a729f83acc