Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 0056b899adf4c8a9…

MALICIOUS

Office (OOXML) / .XLSM

22.7 KB Created: 2024-11-06 09:21:42 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2024-12-10
MD5: 7b40567a682d8557c185f45aa9360a0e SHA-1: 0ef291b180fd22eaa48fe0e3a69791578ab84793 SHA-256: 0056b899adf4c8a99dd0c53d8fae6e5781ad7b53b62f5b0f8dff61e7f9b9dbdf
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an XLSM file containing VBA macros. The `Worksheet_FollowHyperlink` subroutine is designed to call download and execution functions when specific hyperlinks are clicked. The VBA script explicitly uses `URLDownloadToFile` to download a file from `https://architecplus.hu/hello/vegleges.exe` and then attempts to execute it, indicating a downloader or initial access payload.

Heuristics 3

  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://architecplus.hu/hello/vegleges.exe
    • https://architecplus.hu/hello/uveg1.png
    • https://architecplus.hu/hello/uveg2.png
    • https://architecplus.hu/hello/uveg3.png

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ab8eb88d83a986d6596fe30ef8c06f5d86f9879e391d7748c2c3abf85f99f40f		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 5216 bytes
vbaProject_00.bin
de1336bbb6834915ca149ba0cfb61200b8b27ebedd02b76a89a555b98deb4672		 vba-project OOXML VBA project: xl/vbaProject.bin 38912 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.