Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 e867e685e27d1a6b…

MALICIOUS

Office (OOXML)

1.21 MB Created: 2016-06-27 09:21:24 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2019-12-09
MD5: 0b05f70b1b3758c66d000d9413e68c81 SHA-1: f9768e7bfb92ebee6f0d4e051af1c1548a9e1d77 SHA-256: e867e685e27d1a6b0f98d3426c5083431e65d98cb435bb52fc15bb10bf0c2e4d
230 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The file is an OOXML document containing a Workbook_Open macro, which is a common technique for executing malicious code upon opening. The macro is heavily obfuscated and uses the Shell() function, indicating an attempt to download and execute a second-stage payload. The presence of hidden sheets further supports the malicious intent by suggesting an effort to conceal malicious components. No specific family could be identified due to the obfuscation.

Heuristics 7

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 10 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.mathsisfun.com/median.html In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 168546 bytes
SHA-256: f8288c0a85c102df63ea42d7acf3e737814bddd37bac5574eba12b265654482e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
' v6.0 - 25072018 - 1621IST

Dim CalculationSetting As Integer
Dim ScreenUpdating As Boolean
Dim DisplayStatusBar  As Boolean
Dim EnableEvents  As Boolean

Private Sub Workbook_BeforeClose(Cancel As Boolean)
        On Error GoTo ErrorHandler
        Application.Calculation = xlCalculationAutomatic
        'Call LogEventTest
        ' Restore Client Settings
10      'Application.Calculation = CalculationSetting
20      'Application.ScreenUpdating = ScreenUpdating
30      'Application.DisplayStatusBar = DisplayStatusBar
40      'Application.EnableEvents = EnableEvents
            Exit Sub
ErrorHandler:
50          Call Module33.LogEvent(Err, "ThisWorkbook.Workbook_BeforeClose", Erl)
60          Call Module33.ErrorHandler
End Sub

Private Sub LogEventTest()
    On Error GoTo ErrorHandler
10    Dim t As Integer
20      t = 7 / 0
ErrorHandler:
50          Call Module33.LogEvent(Err, "ThisWorkbook.TestLog", Erl)
 End Sub
 
Private Sub Workbook_Open()
        On Error GoTo ErrorHandler
        
        ' Store Client Settings
70      CalculationSetting = Application.Calculation
80      ScreenUpdating = Application.ScreenUpdating
90      DisplayStatusBar = Application.DisplayStatusBar
100      EnableEvents = Application.EnableEvents
        
            'Sheet2.CommandButton1_Click
110    Application.Calculation = xlCalculationManual
111         Call Module31.FreezePane
        '    Sheet1.Visible = xlSheetHidden
        '    Sheet8.Visible = xlSheetHidden
120     If Sheet2.Cells(1, 30) = "1" Then
130         Call Module33.OptimizeCode_End_ExceptCalculation
                End
            End If
140     Call Module32.RunInitialMacros
            Exit Sub
ErrorHandler:
150         Call Module33.LogEvent(Err, "ThisWorkbook.Workbook_Open", Erl)
160         Call Module33.ErrorHandler
        End Sub
        
        Sub FillSupplyLOSCB()
            On Error GoTo ErrorHandler
            Dim startTime As Date
170     startTime = Now()

180         If ThisWorkbook.sheetExists("Sheet9") And Range("Sheet3!A3") > "" Then
         'Call FillComboFromSheet(Sheet9.CB_Supply_LOS, "listLOS1")
190          Call Module8.FillDropDownFromSheet(Sheet9, Sheet9.Shapes("dd_Supply_LOS"), "listLOS1", ThisWorkbook.Settings("SupplyLOS"))
        '    Dim val As String
        '    val = Sheet1.Cells(5, 1)
        '    If val > "" Then
        '        Sheet9.CB_Supply_LOS.Clear
        '        Sheet9.CB_Supply_LOS.List = Split(val, ",")
        '        Sheet9.CB_Supply_LOS.Text = Sheet9.CB_Supply_LOS.List(0)
        '    End If
        End If
200      Call Module33.LogTime("FillSupplyLOSCB", startTime, Now())
            Exit Sub
ErrorHandler:
210          Call Module33.LogEvent(Err, "ThisWorkbook.FillSupplyLOSCB", Erl)
220          Call Module33.ErrorHandler
        End Sub
        
        Sub FillOverviewLOSCB()
             On Error GoTo ErrorHandler
            Dim startTime As Date
230      startTime = Now()
240          If ThisWorkbook.sheetExists("Sheet4") And Range("Sheet3!A3") > "" Then
            
250      Call Module8.FillDropDownFromSheet(Sheet4, Sheet4.Shapes("dd_Overvw_LOS"), "listLOS1", ThisWorkbook.Settings("OverviewLOS"))
        'Call FillComboFromSheet(Sheet4.cb_Overvw_LOS, "listLOS1")
            
        '    Dim val As String
        '    val = Sheet4.cb_Overvw_LOS.value
        '    If val = "" Then
        '        Sheet4.cb_Overvw_LOS.ListFillRange = ""
        '        Sheet4.cb_Overvw_LOS.ListFillRange = "ListLOS"
        '        Sheet4.cb_Overvw_LOS.Text = Sheet4.cb_Overvw_LOS.List(0)
        '    End If
            
            Dim val2 As String
260          val2 = Sheet4.Cells(10, 1)
270          If val2 = "" Then
280    
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 663552 bytes
SHA-256: e0dd43d9c434be685e06369cc17a74d2cb065acf4ed69c223158ad56b18ada4f

Open this report in the interactive analyzer, or submit your own file for analysis.