Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d57a7c1c9467159d…

MALICIOUS

Office (OOXML)

868.5 KB Created: 2014-09-16 11:00:44 UTC Authoring application: Microsoft Excel 15.0300
MD5: da7ef85b10152880352d1325dae80026 SHA-1: 43dc47655c9b8921f967d12be0c1ff98c3d1e584 SHA-256: d57a7c1c9467159d8657db5bf0da53b75cbb9b9e5648b1e1a6ff7f453f9cbec1
338 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1071.001 Web Protocols T1105 Ingress Tool Transfer T1204.002 Malicious File

The file contains VBA macros that utilize `Shell()`, `WScript.Shell`, and `URLDownloadToFile` functions, indicating an attempt to download and execute a payload. The macro code explicitly references URLs on the local network, suggesting an internal network compromise or a targeted attack. The presence of these functions and the external download attempt strongly suggest a downloader or droppper functionality.

Heuristics 10

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • External relationship high OOXML_EXTERNAL_REL
    External target in xl/externalLinks/_rels/externalLink1.xml.rels: file:///C:\Users\mdeneuville\Desktop\08 - Efficiency INTERIALE.xlsm
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.168.77.13/reports_hermes/LOGIC_IMMO
    • http://192.168.77.12/
    • http://192.168.77.13/reports_hermes/OPAC
    • http://10.69.77.105/reports_hermes/ING/
    • http://10.69.77.105/
    • https://www.connectionstrings.com/excel/
    • https://outlook.office365.com/owa/webhelp.fr/
    • https://outlook.office.com/owa/
    • https://outlook.office.com/owa/?ae=PreFormAction&t=IPM.Note&a=Attach

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d32fa44b89f0554ed3174c414614992a94b4c4d0d25c5ccf715434659abadf16		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 328723 bytes
vbaProject_00.bin
3e3efe2941ccc79933ac63fa74c356fd6dce0b5a974c1b76354b73dbebdf963a		 vba-project OOXML VBA project: xl/vbaProject.bin 861184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.