Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 c9cfab0abe12a9dd…

MALICIOUS

Office (OOXML)

156.1 KB Created: 1997-01-08 22:48:59 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2026-06-05
MD5: dec77013d063de9d7886c0cfa17a258e SHA-1: 70cbe52582ecead263162928a5845c95e696cc2c SHA-256: c9cfab0abe12a9dd82bb4a92a3c4ee39cd9f4933c576d467bf3784885e4898e1
310 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a Workbook_Open macro that utilizes WScript.Shell and CreateObject to execute commands and potentially download further payloads. The embedded URLs, such as http://27.121.93.114/SR-C/Main/Download/ExcelUpload.aspx, are likely used to fetch malicious content. The macro's intent appears to be to initiate a download and execution chain, making it a downloader for a second-stage payload.

Heuristics 9

  • VBA project inside OOXML medium 7 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://27.121.93.114/SR-C/Main/View/OutLineContinueStartOFF.aspx?FileName={0}&Count={1}&User={2 In document text (OOXML body / shared strings)
    • http://27.121.93.114/SR-C/Main/View/OutLineContinueFile.aspxIn document text (OOXML body / shared strings)
    • http://27.121.93.114/SR-C/Main/Download/ExcelUpload.aspxIn document text (OOXML body / shared strings)
    • http://27.121.93.114/SR-C/Main/Download/ExcelUploadCSV.aspxIn document text (OOXML body / shared strings)
    • http://27.121.93.114/SR-C/Main/View/OutLineTransfer.aspx?KohoNo={0}&Index=0&KindUserID=shinfo004In document text (OOXML body / shared strings)
    • http://27.121.93.114/SR-C/Main/View/Syoukai.aspx?No={0}&ZenbunFlag=1&Index=0&USERID=shinfo004In document text (OOXML body / shared strings)
    • http://27.121.93.114/SR-C/Main/View/Syoukai.aspx?No={0}&LayoutFlag=1&USERID=shinfo004In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 139850 bytes
SHA-256: ec46c0cbb028a871f654f61513186c9128df5d1b973c21923051efc74f609a29
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private Sub Workbook_Open()
    'グローバル変数初期化
    Dim Sheet1OBJ As Sheet1
    Set Sheet1OBJ = Sheet1
    '初期化
    Sheet1OBJ.HeaderRangeInit
    
    g_ALLDisp_SubMenuName = g_InfoSheetOBJ.Range("全一括表示").Value '//#B87_0242
    g_Update_SubMenuName = g_InfoSheetOBJ.Range("更新アップロード").Value '//#B87_0242
    g_Upload_SubMenuName = g_InfoSheetOBJ.Range("文献アップロード").Value '//#B87_0242
    If g_InfoSheetOBJ.Range("SYS_LANG_FLAG").Value = "zh" Then
        'TOPメニューの設定(中国、台湾、香港、マカオ)
        If Application.International(xlCountryCode) = 86 _
        Or Application.International(xlCountryCode) = 886 _
        Or Application.International(xlCountryCode) = 852 _
        Or Application.International(xlCountryCode) = 853 _
        Then
            g_TopMenuName = "&digi-patent/s"
        ElseIf Application.International(xlCountryCode) = 81 _
        Then
            g_TopMenuName = "&Shareresearch"
        Else
            g_TopMenuName = "&digi-patent/s"
        End If
    Else
        g_TopMenuName = "&Shareresearch"
    End If

    'メニュー追加処理 //#B60_0138
    MakeMenu       '//#B60_0138
End Sub

'メニュートップ文字取得
'//#B60_0138
Public Function GetTopMenuName() As String
    GetTopMenuName = g_TopMenuName
    Exit Function
End Function

'サブメニュー 全一括表示文字取得
'//#B60_0138
Public Function GetALLDisp_SubMenuName() As String
    GetALLDisp_SubMenuName = g_ALLDisp_SubMenuName
    Exit Function
End Function

'サブメニュー 更新アップロード文字取得
'//#B60_0138
Public Function GetUpdate_SubMenuName() As String
    GetUpdate_SubMenuName = g_Update_SubMenuName
    Exit Function
End Function

'サブメニュー 文献アップロード文字取得
'//#B60_0138
Public Function GetUpload_SubMenuName() As String
    GetUpload_SubMenuName = g_Upload_SubMenuName
    Exit Function
End Function

'ブックアクティブイベント
'//#B60_0138
Private Sub Workbook_WindowActivate(ByVal Wn As Window)
    Dim MenuOBJ As Variant
    For Each MenuOBJ In Application.CommandBars("Worksheet Menu Bar").Controls
        If MenuOBJ.Caption = GetTopMenuName() Then
            Exit Sub
        End If
    Next
    MakeMenu                                                                    '//#B90_0095
End Sub

'ブック非アクティブイベント
'//#B60_0138
Private Sub Workbook_WindowDeactivate(ByVal Wn As Window)
    Dim MenuOBJ As Variant
    For Each MenuOBJ In Application.CommandBars("Worksheet Menu Bar").Controls
        If MenuOBJ.Caption = GetTopMenuName() Then
            MenuOBJ.Delete                                                      '//#B90_0095
            Exit Sub
        End If
    Next
End Sub

'メニュー作成,初期化処理
'//#B60_0138
Private Sub MakeMenu()
    Dim NewM As Variant
    Dim SubNewM As Variant
    Dim Sheet1OBJ As Sheet1
    Dim HeaderOBJ As Sheet4
    Dim MenuOBJ As Variant
    Dim SubMenuOBJ As Variant
    
    On Error GoTo MENU_ERROR
    
    Set Sheet1OBJ = ActiveWorkbook.Worksheets(g_Sheet1Name)
    Set HeaderOBJ = ActiveWorkbook.Worksheets(g_Sheet4Name)

    Set NewM = Application.CommandBars("Worksheet Menu Bar").Controls.Add( _
        Type:=msoControlPopup, Temporary:=True)
    NewM.Caption = GetTopMenuName()
    
    Set SubNewM = NewM.Controls.Add
    With SubNewM
        .Caption = GetALLDisp_SubMenuName()
        .OnAction = "ALLDisp_SubMenu_Command"
        .BeginGroup = False
        .Enabled = Sheet1OBJ.GetALLDisp_SubMenuEnable()
    End With
    
    Set SubNewM = NewM.Controls.Add
    With SubNewM
        .Caption = GetUpdate_SubMenuName()
        .OnAction = "Update_SubMenu_Command"
        .BeginGroup = False
        .Enabled = Sheet1OBJ.GetUpdate_SubMenuEnable()
    End With
    
    Set SubNewM = NewM.Controls.Add
    With SubNewM
        .Caption = GetUpload_SubMenuName()
        .OnAction = "Upl
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 288768 bytes
SHA-256: 92fc0d7e45810b9d36f1891854c97896d5bafbbf7772a078ff6ecd469abb4793

Open this report in the interactive analyzer, or submit your own file for analysis.