Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d659836fdc839970…

MALICIOUS

Office (OOXML)

234.5 KB Created: 2020-11-29 02:01:40 UTC Authoring application: Microsoft Excel 16.0300
MD5: 233d1cdb535089c83d7e5cc353acbc63 SHA-1: f0a0826d98af30ec683a9540194bc7dd7e2616ab SHA-256: d659836fdc83997011ac8da33e651050d301f3c238912a979ae27f10eaa2d77c
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1071.001 Web Protocols T1059 Command and Scripting Interpreter

The sample is an Office document containing VBA macros that utilize `Shell()`, `CreateObject()`, `GetObject()`, and `URLDownloadToFile()` functions. These functions are indicative of a downloader attempting to fetch and execute a second-stage payload from the URL `http://www.ssitools.com/helpandsuport/ipmdar/index.htm`. The obfuscated nature of the shell command further suggests malicious intent.

Heuristics 7

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.ssitools.com/helpandsuport/ipmdar/index.htm
    • https://github.com/VBA-tools/VBA-JSON
    • http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.asp
    • https://github.com/VBA-tools/VBA-JSON/pull/82
    • https://github.com/VBA-tools/VBA-UtcConverter
    • https://ssitools.com/ssitoolsupdates/IPMDARTools/
    • https://ssitools.com/ssitoolsupdates/IPMDARTools/SSI_IPMDAR_SPD_ToolsV12-13-2020.xlsm
    • http://www.ssitools.com/helpandsuport/ipmdar/index.htm�
    • http://schemas.microsoft.com/office/2009/07/customui
    • http://www.opensource.org/licenses/mit-license.php
    • http://code.google.com/p/vba-json/
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspx
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspx
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspx
    • http://support.microsoft.com/kb/269370
    • http://www.ietf.org/rfc/rfc4627.txt
    • https://support.microsoft.com/en-us/kb/272138
    • https://www.acq.osd.mil/evm/#/resources
    • http://www.opensource.org/licenses/mit-license.php)�
    • https://www.acq.osd.mil/evm/assets/tools/IPMDAR%20SPD%20Validator.zipta
    • https://www.acq.osd.mil/evm/#f
    • http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://www.iec.ch

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a597a5a01f639ea73176ba40f4b3e8a1cb7e63256f6fa20c14cfa64f7046579e		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 161084 bytes
vbaProject_00.bin
742085a9421fd5c74d0ecb1d9fdfbb7966a74e9ce4ce59ccbc251b5a43d8af73		 vba-project OOXML VBA project: xl/vbaProject.bin 507904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.