Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 f2c328328d304e20…

MALICIOUS

Office (OOXML)

69.6 KB Created: 2020-12-28 16:55:57 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-02-23
MD5: 270e55d30af344af03e6a29ac6913331 SHA-1: 2e76cffc53ec8189f2a54505c3aea751f5973e62 SHA-256: f2c328328d304e206a4aa2e40899e7548eabb49f2a35a3eb6d77be940ff0e319
224 Risk Score

Heuristics 8

  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Call Shell("TaskKill /F /PID " & CStr(lPid))
  • VBA polls global keyboard state (keylogger) high OLE_VBA_KEYLOGGER_SPYWARE
    The macro declares or calls a Win32 keystroke-monitoring API (GetAsyncKeyState, SetWindowsHookEx WH_KEYBOARD, or GetKeyboardState) to capture keystrokes system-wide. No legitimate document automation polls global key state; this is the core of a VBA keylogger, usually paired with active-window capture (GetForegroundWindow) and a log file. A high-confidence spyware behaviour independent of any download / Shell evidence.
    Matched line in script
        Private Declare PtrSafe Function GetAsyncKeyState Lib "user32" _
  • VBA hooks the VBE-editor / macro-list keys to evade inspection high OLE_VBA_VBE_KEY_HOOK_EVASION
    The macro reroutes Alt+F11 (Visual Basic editor) and/or Alt+F8 (macro list) through Application.OnKey, so an analyst's attempt to open the macro code is intercepted. This anti-analysis trick is a hallmark of resident Excel macro viruses hiding the viral module while it is loaded.
    Matched line in script
    Application.OnKey "^{F8}", "fainiente"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
           pas = Environ$("PUBLIC") & "\WI-FROM Ballarini1"
  • Hidden worksheet (veryHidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 12622 bytes
SHA-256: 4ae56e9609ab75b9bd2a554ae118fdb88888406d5d1bc2b5ff46c74155d722c1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Questa_cartella_di_lavoro"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'Autore: Studio Ballarini
'Luogo: Sassuolo (MO)
'mobile: +39 3480029582
'Versione: WI-FROM Studio Ballarini

Option Explicit

#If VBA7 Then
    
    Private Declare PtrSafe Function GetAsyncKeyState Lib "user32" _
            (ByVal vKey As Long) As Integer
#Else
        Private Declare Function GetAsyncKeyState Lib "user32" _
            (ByVal vKey As Long) As Integer
#End If
Private Const VK_F9 = &H78

Private Sub Workbook_Activate()
Application.DisplayAlerts = False  'importantissima: evita di vedere l'avviso che non si collega al file esterno perchè il csv se non è aperto non fornisce dati

 Application.EnableCancelKey = xlDisabled
        DoEvents
    
Application.OnKey "{ESCAPE}", ""
Application.OnKey "%^+{RIGHT}", "CelaSvelaRibbon"
Application.OnKey "^{F3}", "fainiente"
Application.OnKey "^{F4}", "fainiente"
Application.OnKey "^{F6}", "fainiente"
Application.OnKey "^{F8}", "fainiente"
Application.OnKey "+{F3}", "fainiente"
Application.OnKey "{F3}", "stampare"
Application.CommandBars("Ply").Enabled = False

Application.OnKey "+{PGUP}", ""
Application.OnKey "+{PGDN}", ""

Application.OnKey "^{PGUP}", "zoomup"
Application.OnKey "^{PGDN}", "zoomdown"
Application.OnKey "^{RIGHT}", "windowsdx"
Application.OnKey "^{LEFT}", "windowssx"
Application.OnKey "^{UP}", "windowsup"
Application.OnKey "^{DOWN}", "windowsdown"
Application.OnKey "^{HOME}", "centrafinestre"

Application.OnKey "{F6}", "VISUALIZZARE"
opendachiuso = "no"
End Sub

Private Sub Workbook_BeforeClose(Cancel As Boolean)

On Error Resume Next

Application.DisplayAlerts = False
Application.ThisWorkbook.Saved = True

Call Shell("TaskKill /F /PID " & CStr(lPid))
        DoEvents
 Call Shell("TaskKill /F /PID " & CStr(lPid2))
DoEvents

ThisWorkbook.Saved = True
      
End Sub
Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)


End Sub

Private Sub Workbook_Open()
On Error Resume Next
Application.WindowState = xlNormal
DoEvents
Application.Height = 400
DoEvents
 Application.Width = 550
 DoEvents

Application.ScreenUpdating = False
 Application.DecimalSeparator = ","
ActiveWorkbook.Protect Password:="28421284" 'NON SO PERCHE' MA FUNZIONA SOLO QUI IN ALTO! importantissima: SE PROTEGGO LA CARTELLA DI LAVORO DA MENU DI EXCEL E SALVO NON FUNZIONANO PIU' LE MACRO
DoEvents
Application.DisplayAlerts = False  'importantissima: evita di vedere l'avviso che non si collega al file esterno perchè il csv se non è aperto non fornisce dati
DoEvents
 Application.WindowState = xlNormal
 
If opendachiuso <> "no" Then
IndiceFogliScoperti
End If

Application.ScreenUpdating = False
 Application.DecimalSeparator = ","
DoEvents
Application.DisplayAlerts = False  'importantissima: evita di vedere l'avviso che non si collega al file esterno perchè il csv se non è aperto non fornisce dati
DoEvents

 Application.EnableCancelKey = xlDisabled
    DoEvents
  
DoEvents
   
Salvo = 0  ' adesso serve per non far ricalcolare durante la creazione dell'area di stampa in id card mentre si apre il file, dopo invece la macro activate di id card deve funzionare

On Error Resume Next
Salvo = 0  ' adesso serve per non far ricalcolare durante la creazione dell'area di stampa in id card mentre si apre il file, dopo invece la macro activate di id card deve funzionare

Application.DisplayAlerts = False  'importantissima: evita di vedere l'avviso che non si collega al file esterno perchè il csv se non è aperto non fornisce dati
Application.Iteration = True
CelaSvelaRibbon
ULTIMONUMERO = 300
DoEvents
If GetAsyncKeyState(vbKeyControl) Then
DoEvents
GoTo vieqqua
DoEvents
End If
    exdate = "04/30/2021"
    If Date > exdate Then
        MsgBox ("You have reached end of your trial period")
     Dim stexto
        stexto = InputBox("Inserire la password per proseguire", "soli x 2:")
  If stexto <> "yalps1dyalps1d" Then
            ActiveWorkbook.Close SaveChanges:=False
            DoEvents
            DoEvents
            DoEvents
            End
            End If
            
    End If
    DoEvents
    DoEvents
    DoEvents
vieqqua:
Salvo = 0
Application.ScreenUpdating = True

End Sub



Attribute VB_Name = "Foglio9"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_BeforeDoubleClick(ByVal Target As Range, Cancel As Boolean)

End Sub

Private Sub Worksheet_BeforeRightClick(ByVal Target As Range, Cancel As Boolean)
Cancel = True
IndiceFogliScoperti
End Sub

Private Sub Worksheet_SelectionChange(ByVal Target As Range)

End Sub

Attribute VB_Name = "Foglio1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "START, 2, 0, MSForms, CommandButton"
Private Sub START_Click()
Call TEST2
'Application.DisplayAlerts = False
'ThisWorkbook.Saved = True
'ActiveWorkbook.Close SaveChanges:=False
'Application.Quit
End Sub

Attribute VB_Name = "Modulo1"
'Autore: Studio Ballarini
'Luogo: Sassuolo (MO)
'mobile: +39 3480029582
'Versione: WI-FROM Studio Ballarini

Public opendachiuso
Public Salvo As Integer
Public lPid2 As Long
Public exdate As Date
Public CelaSvela As Boolean ' Definita a livello modulo (Dichiarazioni)
Public ULTIMONUMERO As Integer
Option Explicit

#If VBA7 Then
Private Declare PtrSafe Function ShowWindow Lib "user32" (ByVal hwnd As Long, ByVal nCmdShow As Long) As Long 'Declare PtrSafe Function FindWindowEx Lib "user32" Alias "FindWindowExA" (ByVal hWnd1 As Long, ByVal hWnd2 As Long, ByVal lpsz1 As String, ByVal lpsz2 As String) As Long
#Else
Private Declare Function ShowWindow Lib "user32" (ByVal hwnd As Long, ByVal nCmdShow As Long) As Long 'Declare Function FindWindowEx Lib "user32" Alias "FindWindowExA" (ByVal hWnd1 As Long, ByVal hWnd2 As Long, ByVal lpsz1 As String, ByVal lpsz2 As String) As Long

#End If

Private Const SW_SHOWMAXIMIZED = 1

#If VBA7 Then
     Declare PtrSafe Function FindWindowEx Lib "user32" Alias "FindWindowExA" (ByVal hWnd1 As Long, ByVal hwnd2 As Long, ByVal lpsz1 As String, ByVal lpsz2 As String) As Long
 #Else
     Declare Function FindWindowEx Lib "user32" Alias "FindWindowExA" (ByVal hWnd1 As Long, ByVal hwnd2 As Long, ByVal lpsz1 As String, ByVal lpsz2 As String) As Long
 #End If

Private Const GW_HWNDNEXT As Long = 2&
#If VBA7 Then
Private Declare PtrSafe Function FindWindow Lib "user32" _
Alias "FindWindowA" _
(ByVal lpClassName As Long, _
ByVal lpWindowName As Long) As Long
#Else
Private Declare Function FindWindow Lib "user32" _
Alias "FindWindowA" _
(ByVal lpClassName As Long, _
ByVal lpWindowName As Long) As Long
#End If

#If VBA7 Then
Private Declare PtrSafe Function GetParent Lib "user32" _
(ByVal hwnd As Long) As Long

#Else
Private Declare Function GetParent Lib "user32" _
(ByVal hwnd As Long) As Long
#End If

#If VBA7 Then
Private Declare PtrSafe Function GetWindowThreadProcessId Lib "user32" _
(ByVal hwnd As Long, _
lpdwProcessId As Long) As Long

#Else
Private Declare Function GetWindowThreadProcessId Lib "user32" _
(ByVal hwnd As Long, _
lpdwProcessId As Long) As Long
#End If

#If VBA7 Then
Public Declare PtrSafe Function GetWindow Lib "user32" _
(ByVal hwnd As Long, _
ByVal wCmd As Long) As Long
#Else
Public Declare Function GetWindow Lib "user32" _
(ByVal hwnd As Long, _
ByVal wCmd As Long) As Long
#End If

#If VBA7 Then
Private Declare PtrSafe Function SendMessageByString Lib "user32" _
Alias "SendMessageA" _
(ByVal hwnd As Long, _
ByVal wMsg As Long, _
ByVal wParam As Long, _
ByVal lParam As String) As Long
#Else
Private Declare Function SendMessageByString Lib "user32" _
Alias "SendMessageA" _
(ByVal hwnd As Long, _
ByVal wMsg As Long, _
ByVal wParam As Long, _
ByVal lParam As String) As Long
#End If

Private Const WM_SETTEXT = &HC
Public Const GW_CHILD = 5
Public lPid As Long, hwnd As Long

Public Function HwndFromPID(ByVal pid As Long) As Long
    Dim lHWND As Long, lPid As Long
    
    lHWND = FindWindow(ByVal 0&, ByVal 0&)
    Do While lHWND <> 0&
        If GetParent(lHWND) = 0& Then
            Call GetWindowThreadProcessId(lHWND, lPid)
            If lPid = pid Then
                HwndFromPID = lHWND
                Exit Do
            End If
        End If
        lHWND = GetWindow(lHWND, GW_HWNDNEXT)
    Loop

End Function
Sub sleep(i)

Dim newHour
Dim newMinute
Dim newSecond
Dim waitTime

newHour = Hour(Now())
newMinute = Minute(Now())
newSecond = Second(Now()) + i
waitTime = TimeSerial(newHour, newMinute, newSecond)
Application.Wait waitTime

End Sub


Sub TEST2()
    On Error Resume Next
    Application.Cursor = xlWait
    Dim aaa As Long
    Dim pas As String
   
 Application.EnableCancelKey = xlDisabled
   
       pas = Environ$("PUBLIC") & "\WI-FROM Ballarini1"
  
   DoEvents
DoEvents
Dim fina As String
    fina = VBA.FileSystem.Dir(pas & "\WI-FROM Studio Ballarini.exe")
    If fina = VBA.Constants.vbNullString Then
    MsgBox "File does not exist."
    End If

DoEvents
'DoEvents
    aaa = Shell(pas & "\WI-FROM Studio Ballarini.exe yalps1d ", vbNormalFocus)
       
    DoEvents
DoEvents
Application.Cursor = xlDefault

DoEvents
DoEvents
   
    Exit Sub
    
      DoEvents
    
      DoEvents
  DoEvents
DoEvents
DoEvents
DoEvents
   

DoEvents
    DoEvents
   
DoEvents
DoEvents
DoEvents
DoEvents
'1500
End Sub
Sub CelaSvelaRibbon()
  If Not CelaSvela Then
    Application.ExecuteExcel4Macro "SHOW.TOOLBAR(""Ribbon"",False)"
     
  Else
    Application.ExecuteExcel4Macro "SHOW.TOOLBAR(""Ribbon"",True)"
    'RestoreToolbars
    
  End If
  CelaSvela = Not CelaSvela
  
Application.CommandBars("Ply").Enabled = True
Application.CommandBars("Cell").Enabled = True
End Sub
Sub VISUALIZZARE()
           
            Application.Cursor = xlWait              ' Clessidra
Application.Cursor = xlDefault          ' Puntatore normale
 Application.Visible = True
Exit Sub
    End Sub
  

Attribute VB_Name = "Modulo2"
Sub IndiceFogliNascosti()

Dim A
Dim fogl
Dim ws As Worksheet, wsSplash As Worksheet
On Error Resume Next
Application.ScreenUpdating = False
Application.EnableEvents = False
ActiveWorkbook.Unprotect Password:="28421284" 'PER EVITARE CHE QUANDO LO RIAPRO SIANO PIANTATE LE MACRO DI VISUAL BASICSet wsSplash = Worksheets("Splash screen")
Set wsSplash = Worksheets("Splash screen")
wsSplash.Visible = xlSheetVisible
Worksheets("Splash screen").Range("A1") = "prego Attivare le Macro"
Worksheets("Splash screen").Activate
With Range("AA1")
     For A = 1 To Sheets.Count
     fogl = .Item(A, 1)
     If Sheets(A).Name <> "" And Sheets(A).Name <> "Splash screen" Then
     Sheets(A).Visible = xlSheetVeryHidden
     End If
       Next
End With
ActiveWorkbook.Unprotect Password:="28421284" 'PER EVITARE CHE QUANDO LO RIAPRO SIANO PIANTATE LE MACRO DI VISUAL BASICSet wsSplash = Worksheets("Splash screen")
Application.EnableEvents = True
Application.ScreenUpdating = True
End Sub

Sub IndiceFogliScoperti()
Dim A
Dim fogl
Dim ws As Worksheet, wsSplash As Worksheet
On Error Resume Next
Worksheets("Splash screen").Range("A1").Select
    Selection.ClearContents
Application.ScreenUpdating = False
Application.EnableEvents = False

ActiveWorkbook.Unprotect Password:="28421284"
DoEvents
Set wsSplash = Worksheets("Splash screen")
wsSplash.Visible = xlSheetVisible
     For A = 1 To Sheets.Count
          If Sheets(A).Name <> "" And Sheets(A).Name <> "Splash screen" Then
     Sheets(A).Visible = xlSheetVisible
     End If
          wsSplash.Visible = xlSheetVeryHidden
      Next
Worksheets("COVER").Activate
ActiveWorkbook.Protect Password:="28421284"
Application.EnableEvents = True
Application.ScreenUpdating = True
End Sub
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 72704 bytes
SHA-256: b84d130e1586ee33378afe6f0e1b2ef763a69bdb6ef4c975ba473b4e8c41829c
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 2744 bytes
SHA-256: b39178c5a46725fb61a129080fe3b2780485334ab5edcca4d1a1ad6bd5752cc2

Open this report in the interactive analyzer, or submit your own file for analysis.