Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 e13719de4efaf269…

MALICIOUS

Office (OOXML)

1.37 MB Created: 2016-06-27 09:21:24 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-10-23
MD5: 5e0ac4bd718187a3f288703aa62ba7cb SHA-1: 513a4eccb6c84d828b9c2bcb1b945ab9dcbe4ccb SHA-256: e13719de4efaf26980cd0294b4d86d2ac1674a4130e8334445fb2f2c020ae96b
230 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information T1204.002 Malicious File

The sample is an OOXML file containing a Workbook_Open macro, which is a critical heuristic firing. This macro is obfuscated and uses Shell() calls, indicating it's designed to execute arbitrary code. The presence of hidden sheets and the manipulation of Excel calculation settings further suggest malicious intent, likely to download and execute a secondary payload. The document body content appears to be tabular data, possibly a lure.

Heuristics 7

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 10 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.mathsisfun.com/median.html In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 168546 bytes
SHA-256: f8288c0a85c102df63ea42d7acf3e737814bddd37bac5574eba12b265654482e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
' v6.0 - 25072018 - 1621IST

Dim CalculationSetting As Integer
Dim ScreenUpdating As Boolean
Dim DisplayStatusBar  As Boolean
Dim EnableEvents  As Boolean

Private Sub Workbook_BeforeClose(Cancel As Boolean)
        On Error GoTo ErrorHandler
        Application.Calculation = xlCalculationAutomatic
        'Call LogEventTest
        ' Restore Client Settings
10      'Application.Calculation = CalculationSetting
20      'Application.ScreenUpdating = ScreenUpdating
30      'Application.DisplayStatusBar = DisplayStatusBar
40      'Application.EnableEvents = EnableEvents
            Exit Sub
ErrorHandler:
50          Call Module33.LogEvent(Err, "ThisWorkbook.Workbook_BeforeClose", Erl)
60          Call Module33.ErrorHandler
End Sub

Private Sub LogEventTest()
    On Error GoTo ErrorHandler
10    Dim t As Integer
20      t = 7 / 0
ErrorHandler:
50          Call Module33.LogEvent(Err, "ThisWorkbook.TestLog", Erl)
 End Sub
 
Private Sub Workbook_Open()
        On Error GoTo ErrorHandler
        
        ' Store Client Settings
70      CalculationSetting = Application.Calculation
80      ScreenUpdating = Application.ScreenUpdating
90      DisplayStatusBar = Application.DisplayStatusBar
100      EnableEvents = Application.EnableEvents
        
            'Sheet2.CommandButton1_Click
110    Application.Calculation = xlCalculationManual
111         Call Module31.FreezePane
        '    Sheet1.Visible = xlSheetHidden
        '    Sheet8.Visible = xlSheetHidden
120     If Sheet2.Cells(1, 30) = "1" Then
130         Call Module33.OptimizeCode_End_ExceptCalculation
                End
            End If
140     Call Module32.RunInitialMacros
            Exit Sub
ErrorHandler:
150         Call Module33.LogEvent(Err, "ThisWorkbook.Workbook_Open", Erl)
160         Call Module33.ErrorHandler
        End Sub
        
        Sub FillSupplyLOSCB()
            On Error GoTo ErrorHandler
            Dim startTime As Date
170     startTime = Now()

180         If ThisWorkbook.sheetExists("Sheet9") And Range("Sheet3!A3") > "" Then
         'Call FillComboFromSheet(Sheet9.CB_Supply_LOS, "listLOS1")
190          Call Module8.FillDropDownFromSheet(Sheet9, Sheet9.Shapes("dd_Supply_LOS"), "listLOS1", ThisWorkbook.Settings("SupplyLOS"))
        '    Dim val As String
        '    val = Sheet1.Cells(5, 1)
        '    If val > "" Then
        '        Sheet9.CB_Supply_LOS.Clear
        '        Sheet9.CB_Supply_LOS.List = Split(val, ",")
        '        Sheet9.CB_Supply_LOS.Text = Sheet9.CB_Supply_LOS.List(0)
        '    End If
        End If
200      Call Module33.LogTime("FillSupplyLOSCB", startTime, Now())
            Exit Sub
ErrorHandler:
210          Call Module33.LogEvent(Err, "ThisWorkbook.FillSupplyLOSCB", Erl)
220          Call Module33.ErrorHandler
        End Sub
        
        Sub FillOverviewLOSCB()
             On Error GoTo ErrorHandler
            Dim startTime As Date
230      startTime = Now()
240          If ThisWorkbook.sheetExists("Sheet4") And Range("Sheet3!A3") > "" Then
            
250      Call Module8.FillDropDownFromSheet(Sheet4, Sheet4.Shapes("dd_Overvw_LOS"), "listLOS1", ThisWorkbook.Settings("OverviewLOS"))
        'Call FillComboFromSheet(Sheet4.cb_Overvw_LOS, "listLOS1")
            
        '    Dim val As String
        '    val = Sheet4.cb_Overvw_LOS.value
        '    If val = "" Then
        '        Sheet4.cb_Overvw_LOS.ListFillRange = ""
        '        Sheet4.cb_Overvw_LOS.ListFillRange = "ListLOS"
        '        Sheet4.cb_Overvw_LOS.Text = Sheet4.cb_Overvw_LOS.List(0)
        '    End If
            
            Dim val2 As String
260          val2 = Sheet4.Cells(10, 1)
270          If val2 = "" Then
280    
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 663552 bytes
SHA-256: 420a5168c1dc3e9acf85dbc962a0413e15bb2de6733c5332977e3d8b3b30a72c

Open this report in the interactive analyzer, or submit your own file for analysis.