Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ebf636ed72258d2a…

MALICIOUS

Office (OOXML)

558.2 KB Created: 2011-05-31 17:44:04 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2021-05-23
MD5: 729975419b1627002a74e69b2cf256ff SHA-1: ad28bafd965dcb5774fc904bb5e91598a5a0542d SHA-256: ebf636ed72258d2aaf56f4b08740a89cac6e2b618669b81d1ff5acf34fdb8f02
230 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is identified as malicious by ClamAV with the signature 'Doc.Dropper.Valyria-6680506-0', indicating it functions as a dropper. It contains VBA macros and an embedded Equation Editor OLE object, common for exploiting vulnerabilities to execute code. The VBA script appears to interact with external XLA files and potentially execute commands, suggesting it's designed to download and run a second-stage payload. The embedded URLs, while seemingly related to construction costs, are likely part of the lure or C2 infrastructure.

Heuristics 7

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • ClamAV: Doc.Dropper.Valyria-6680506-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Valyria-6680506-0
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • External relationship medium OOXML_EXTERNAL_REL
    External target in xl/externalLinks/_rels/externalLink1.xml.rels: /Du toan GXD_1012/DutoanMau/DutoanGXD-anh Truong.xlt
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 38 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://giaxaydung.vn OOXML external relationship
    • http://thepcongnghiep.vn/bang-gia-thep-hinh/OOXML external relationship

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 31625 bytes
SHA-256: f30ff9eb35542dd98cab73a63de19b4182c0df1adba2c019485a265a7626cef9
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_SheetBeforeRightClick(ByVal Sh As Object, ByVal Target As Range, Cancel As Boolean)
 On Error Resume Next
 If (istpWorkbookOpen("DutoanGXD.xla") = True) Then
     Cancel = False
     If (ActiveSheet.CodeName = "shDTXD") Then
        If Target.Column = ThisWorkbook.Names("DTXD_MH").RefersToRange.Column Or Target.Column = ThisWorkbook.Names("DTTB_MH").RefersToRange.Column Then
        Cancel = True
            Application.Run "'DutoanGXD.xla'!timkiemdg", 1, 1
            Exit Sub
        End If
        
    End If
    If ActiveSheet.CodeName = "shDGCTXD" Or ActiveSheet.CodeName = "shDGCTTB" Then
        If Target.Column = ThisWorkbook.Names("CTXD_DG").RefersToRange.Column Or Target.Column = ThisWorkbook.Names("CTTB_DG").RefersToRange.Column Then
         
           Cancel = True
           'MsgBox Target.Column
            'Application.Run "'QLCL.xla'!Enter_detail", Target.Row, Target.Column
             Application.Run "'DutoanGXD.xla'!RightClick_DGCT", Target.Row, Target.Column
             Exit Sub
        End If
    End If
    If ActiveSheet.CodeName = "shTHXD" Or ActiveSheet.CodeName = "shTHTB" Then
        If Target.Column = ThisWorkbook.Names("THXD_MSVT").RefersToRange.Column Then
         'If Target.Column = 2 Then
           Cancel = True
           'MsgBox Target.Column
            Application.Run "'DutoanGXD.xla'!GXDPRunTracuu4"
            Exit Sub
        End If
    End If
    If ActiveSheet.CodeName = "shVLHTXD" Or ActiveSheet.CodeName = "shVLHTTB" Then
        If Target.Column = ThisWorkbook.Names("VLXD_MH").RefersToRange.Column Or Target.Column = ThisWorkbook.Names("VLTB_MH").RefersToRange.Column Then
         'If Target.Column = 2 Then
           Cancel = True
           'MsgBox Target.Column
            Application.Run "'DutoanGXD.xla'!GXDPRunTracuu4"
            Exit Sub
        End If
    End If
    If ActiveSheet.CodeName = "shPLVXD" Or ActiveSheet.CodeName = "shPLVTB" Then
        If Target.Column = ThisWorkbook.Names("PLVTB_MVT").RefersToRange.Column Or Target.Column = ThisWorkbook.Names("PLVXD_MVT").RefersToRange.Column Then
         'If Target.Column = 2 Then
           Cancel = True
           'MsgBox Target.Column
            Application.Run "'DutoanGXD.xla'!GXDPRunTracuu4"
            Exit Sub
        End If
    End If
    If ActiveSheet.CodeName = "Sheet10" Then
    
        If Target.Column = 3 Then
            Cancel = True
        
            Application.Run "'DutoanGXD.xla'!TraMaCPVTVB", Target.Row, Target.Column - 1
            Exit Sub
        End If
    End If

    If ActiveSheet.CodeName = "Sheet4" Then
         If Target.Column = 2 Then
           Cancel = True
           'MsgBox Target.Column
            Application.Run "'DutoanGXD.xla'!TraMaCPVTVB", Target.Row, Target.Column
            Exit Sub
        End If
    End If
    If ActiveSheet.CodeName = "Sheet14" Then
        If Target.Column = 4 Then
           Cancel = True
           'MsgBox Target.Column
            Application.Run "'DutoanGXD.xla'!SeachDlgDGVB", Target.Row, Target.Column - 1
        End If
    End If

    If ActiveSheet.CodeName = "Sheet11" Then
    
        If Target.Column = 3 Then
            Cancel = True
        
            Application.Run "'DutoanGXD.xla'!TraMaCPVTVB", Target.Row, Target.Column - 1
            Exit Sub
        End If
    End If
    Application.Run "'DutoanGXD.xla'!RightClickSheet"
    
  End If
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Custo
... (truncated)
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 2560 bytes
SHA-256: ea88d9a16d6e50171fb2507acb2e2ccb1df4365fd833297905e93ea19edf82c4
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 119296 bytes
SHA-256: 95e7c300aff4d79f94c8678385aa94ce020477b62c2535ae98d8075f97646d7e
Detection
ClamAV: Doc.Dropper.Valyria-6680506-0
Obfuscation or payload: unlikely
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 5532 bytes
SHA-256: 201a489cbc151425b8dbdf6db55b930c0064ddc83826ca33e1db63a729f83acc