Office (OOXML) malware analysis — malicious · feca553c6feb3b43

MALICIOUS

Office (OOXML)

609.4 KB Created: 2002-08-20 07:42:50 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-09-14

MD5: 17e5f4ecf6076caa084c55a2b6636f8b SHA-1: 7d2185a49f5b811c94c452212ca2c3bd9983f6a5 SHA-256: feca553c6feb3b43b7bf69aa6cd031e6c7750ea35654c3b4af36f51b1af2069e

686 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File T1105 Ingress Tool Transfer

The file contains a malicious VBA macro with AutoOpen and Auto_Open functions, indicating it's designed to execute automatically. The macro heavily utilizes WScript.Shell and CreateObject to execute commands, including references to cmd.exe and a suspicious URL on a local network IP address. This strongly suggests the macro's purpose is to download and execute a second-stage payload, consistent with a downloader or droppper malware.

Heuristics 18

ClamAV: Doc.Trojan.Xshell-6923080-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Xshell-6923080-0
VBA project inside OOXML medium 10 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS

Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: http://10.96.232.22:8088/overtimeHourDetail.do
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 12 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://10.96.232.22:8088/overtimeHourDetail.do Document hyperlink
- http://schemas.microsoft.com/windows/2004/02/mit/taskIn document text (OOXML body / shared strings)

Extracted artifacts 12

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	228139 bytes
SHA-256: `a9e8facd6c43c2441f618d31f86f4c7fd2f1ff5bfcc23e15a08f73bf17a3ed71`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "HuiZong" Public f_Dir As Integer Public LogPath As String Public f_Suoding As Integer Public f_DirError As Integer Public f_CloseTimes As Integer Public Const f_Display As Integer = 0 Public f_Macros As Integer Public f_Open As Integer Public XX_WorkOvertime As String Public REN_WorkOvertime As String Public OvertimeDetailData As String Public Const chenyr As String = "chenyr" Public f_NotQuit As Integer Public DateSet As Date Public f_DateSetClose As Integer Public xDate As String Public f_UserForm4 As Integer Public f_DealWith_UserForm4 As Integer Public WBFilePath As String '= ThisWorkbook.Path & "\" & AWbName ''ﾖｸｱｾｹ､ﾗｾﾎﾄｼﾍ�ﾕ鉙ｫﾂｷｾｶ 'chenyr 2017.07.19 Public f_IsFileReadOnly As Integer Public f_ZhiZhi_Num As Integer Public f_SheetSMActivate As Integer Public P_HistoryHuiZong As Integer Public f_CheckBox1_Save As Integer Public f_HZPrint_Save As Integer Public f_AlreadyPrint_DEL As Integer Dim var1 Dim A29 Dim RangeBx Dim t_juxing As Integer Dim f_yz As Integer Dim f_lock As Integer Dim KB As String, MK As String, bz As String Dim f_psw As Integer Dim xPage As Integer Dim f_HZPrint As Integer Dim f_HistoryHuiZong As Integer Dim f_SheetNG As Integer Public Function FileFolderExists(strFullPath As String) As Boolean On Error GoTo EarlyExit If Not Dir(strFullPath, vbDirectory) = vbNullString Then FileFolderExists = True EarlyExit: On Error GoTo 0 End Function Function Dictionary() xRow1 = 32 * xPage + 9 xRow2 = 32 * xPage + 29 SheetOK.Cells(xRow2, "i") = "" Dim NAME() Set dic = CreateObject("Scripting.Dictionary") A = xRow2 - 1 For Each Cell In SheetOK.Range("L" & xRow1 & ":L" & A) If Not dic.exists(Cell.Value) Then dic.Add Cell.Value, Cell.Value On Error Resume Next End If Next NAME = dic.items For I = 1 To dic.Count If SheetOK.Cells(xRow2, "i") = "" And NAME(I - 1) <> "" Then SheetOK.Cells(xRow2, "i") = NAME(I - 1) Else If NAME(I - 1) <> "" Then SheetOK.Cells(xRow2, "i") = SheetOK.Cells(xRow2, "i") & "/" & NAME(I - 1) End If Next End Function Sub HZPrint() On Error Resume Next f_ProtectContents = 0 If SheetOK.ProtectContents = True Then f_ProtectContents = 1 SheetOK.Unprotect Password:=chenyr End If f_ProtectContentsNG = 0 If SheetNG.ProtectContents = True Then f_ProtectContentsNG = 1 SheetNG.Unprotect Password:=chenyr End If HZPrint0 If f_ProtectContents = 1 Then SheetOK.Protect Password:=chenyr If f_ProtectContentsNG = 1 Then SheetNG.Protect Password:=chenyr If f_HZPrint_Save = -1 Then f_HZPrint_Save = 0: ThisWorkbook.Save End Sub Sub HZPrint0() On Error Resume Next If f_UserForm4 = 1 Then GoTo DealWith_UserForm4 If SheetOK.[n4] = 1 And SheetOK.[i2] = Date Then MsgBox "Has Been Locked And Print!", vbOKOnly + vbInformation, "Warning": Exit Sub If f_DirError = 1 Then Call PathErr: Exit Sub Dim f_PrintFile00 As String f_PrintFile00 = ActiveWorkbook.Path & "\" & ActiveWorkbook.NAME If f_Dir = 0 Then GoTo ThisWorkbookPath1 If Get_Folder(LogPath) Then Else Application.DisplayAlerts = False MsgBox "Sorry, This Workbook Will Be Closed!" & Chr(10) & Chr(10) & "You Don't Have Permission To Access The Directory :" & Chr(34) & LogPath & Chr(34) 'ﾅﾐｶﾏﾄｿﾂｼﾊﾇｷﾐｷﾃﾎﾊﾈｨﾏﾞ｣ｬｼｴﾊｹｴ贇ﾚｵｫﾎﾞｷﾃﾎﾊﾈｨﾏﾞ｣ｬﾒｲﾌ睫ｾｲｻｴ贇ﾚ｡｣ Call WorkbookClose Application.DisplayAlerts = True End If ThisWorkbookPath1: ''UN = Environ("UserName") 'chenyr 2018.01.08 'chenyr 2018.01.08 [m4].Select If UN <> "heht" And UN <> "chenyr" And UN <> "xucl" And UN <> "shimizu_masayoshi" And UN <> "yang_pengfei" And UN <> "CYR" And UN <> "YLL" _ And f_ZhiZhi_Num <> 2 Then UserForm1.Show 1 p = var1 var1 = "" If p = Split(Environ("UserName"), "_")(0) & Split(Environ("UserName"), "_")(0) Then GoTo f_psw_1 If p = "cxeecxee" Then GoTo f_psw_1 If p <> Environ("UserName") & Environ("UserName") Then MsgBox Sheet0.[o81], vbCritical, "Error": Exit Sub f_psw_1: f_psw = 1 End If Dim f_PrintFile As String Dim f_PrintFile0 As String If ... (truncated)
`ooxml_oleobject_00.bin`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/oleObject2.bin	50688 bytes
SHA-256: `8473582bf615d1f32cc8bf861cc6fbf8ca4b0e8f5635e0c449105266c13aeb85`
`ooxml_oleobject_00_ole10native_00.bin`	ole-package	OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native	47796 bytes
SHA-256: `908fe6a187134969a03bf2415a0eb6e151ea6c95cbb288898d37487a03bdd0c7`
`ooxml_oleobject_01.bin`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/oleObject1.bin	2560 bytes
SHA-256: `58b5c787cf5bc722cc48ee15eca83ec8e627799d9ea745930722d928d27f47e4`
`ooxml_oleobject_01_ole10native_00.bin`	ole-package	OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native	335 bytes
SHA-256: `6027cc499d1c8d16f30507e14364f0d8864b7926b835c943a12b27416e29f606`
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	672768 bytes
SHA-256: `d87608c888c4ef08d8687f610364dd2bbb1520c2316e75e753f950c789010a3e`
Detection ClamAV: Doc.Trojan.Xshell-6923080-0 Obfuscation or payload: unlikely
`emf_00.emf`	ooxml-emf	OOXML EMF part: xl/media/image9.emf	2872 bytes
SHA-256: `076229a7deb150aff4c0a0c351e104d3fd7a1b221db4d5b7a3266352b0d0f50e`
`emf_01.emf`	ooxml-emf	OOXML EMF part: xl/media/image8.emf	2568 bytes
SHA-256: `6d29eb000ad402cb1310b44915361862a797a9d5b510d32f54e7a371c7b821e7`
`emf_02.emf`	ooxml-emf	OOXML EMF part: xl/media/image5.emf	5048 bytes
SHA-256: `00cc7995df0de95174ccd4b13fcd805c69f7dfbe13db68a659e23a19c6b2daf4`
`emf_03.emf`	ooxml-emf	OOXML EMF part: xl/media/image6.emf	2520 bytes
SHA-256: `8341762bc8d4b27205b8a255754b3f7e8c2018e110d1052c63d196f385572c05`
`emf_04.emf`	ooxml-emf	OOXML EMF part: xl/media/image7.emf	2592 bytes
SHA-256: `27cc0b92cd71b61241fb1d503931181653ddda11e9c0d387841e39c6d6228551`
`emf_05.emf`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	4980 bytes
SHA-256: `5f9c00592a69d9b40b39a04d6d687252da6391f616f23edcd21e1b0ef667bd8a`

Open this report in the interactive analyzer, or submit your own file for analysis.