Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 dc20b7344272a92b…

MALICIOUS

Office (OOXML) / .XLSM

46.9 KB Created: 2020-02-01 18:28:07 UTC Authoring application: Microsoft Excel 12.0000
MD5: 215c944bee26b535c1feb3f66122acf7 SHA-1: 547f734eb677e0fbc3da9a92bc5b8224ade2234f SHA-256: dc20b7344272a92b672b41afc2c9e7b98b8473645a5431b79663eb841bd4dbe4
320 Risk Score

Malware Insights

MITRE ATT&CK
T1204 User Execution T1204.002 Malicious File T1059 Command and Scripting Interpreter T1059.003 Windows Command Shell T1566 Phishing T1566.001 Spearphishing Attachment

The sample is an XLSM file containing VBA macros, including an Auto_Open macro, which is a common delivery mechanism. It exploits CVE-2017-11882 through an embedded Equation Editor OLE object. The embedded object contains a command stager that attempts to execute a command to rename a file and then run a WSF script, likely to download and execute a second-stage payload.

Heuristics 8

  • CVE-2017-11882 — Equation Editor command stager critical CVE likely CVE_2017_11882_EQUATION_NATIVE_CMD
    Embedded Equation Editor OLE data contains an invalid Equation Native/MTEF stream with an embedded command stager. This is likely CVE-2017-11882 exploitation because the vulnerable Equation Editor component is reached and the malformed native stream directly carries process-launch bytes.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject3.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • ClamAV: Xls.Malware.Generic-8058593-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Generic-8058593-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
456d0e0192d13f4eb91133a62c1225b6de19f6f1a9dfe2aa5b2ff2b501247f9d		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 27626 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.
ooxml_oleobject_00.bin
98bb90be67f02b0dcd0c4c558feec8ddf0cb8a029265978765dfa22db0c88fc4		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject2.bin 12288 bytes
ooxml_oleobject_00_ole10native_00.bin
f1ebd1f966f804d5d6957899cfa18ec13d894fe87e5c43dfbaad6fc608da738e		 ole-package OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 9473 bytes
ooxml_oleobject_01.bin
a3744ee795040893ff0f6f6f0294c79e77b4adcb20de320cc05040edf6ef5ed5		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject3.bin 5936 bytes
ooxml_oleobject_02.bin
a584b820a2992d568309d29a53553719335cf38a9df44dc68a0604a6cca73f49		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 3584 bytes
ooxml_oleobject_02_ole10native_00.bin
f6cb57a07162be208979a032f45da4c4f20a53852a8066e47c23f6ed11fac834		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 1275 bytes
ooxml_oleobject_03.bin
b17f9511291b4d57bd58418f2ac5457f4989dd38a080cfb2ab792010185614de		 ooxml-ole-object OOXML embedded OLE part: xl/vbaProject.bin 46080 bytes
emf_00.emf
979dde2aed02f077c16ae53546c6df9eed40e8386d6db6fc36aee9f966d2cb82		 ooxml-emf OOXML EMF part: xl/media/image1.emf 4968 bytes
emf_01.emf
4d4d1e7b04c99dcb8e885915068ad6f74cc2333e91580cdae5ccaa00c427247f		 ooxml-emf OOXML EMF part: xl/media/image2.emf 1536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.