Office (OOXML) / .XLSM malware analysis — malicious · 046b98b20134d268

MALICIOUS

Office (OOXML) / .XLSM

170.2 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300

MD5: 29cf23b4425504ad3d0eba5012008eff SHA-1: 542ae1c5cca0d09d77e8ef2bc7dc087461fdb63c SHA-256: 046b98b20134d268315db4b086fb041151840a3a0dddd2881a5958be95a77649

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is an XLSM file containing VBA macros. The macros utilize `CreateObject` and WMI to launch a PowerShell process. This PowerShell process is obfuscated but reconstructs to download and execute a VBScript from the URL 'http://91.235.134.197/bihy/Protected Client.vbs'. The VBScript is then executed, likely to download and run a further payload.

Heuristics 4

VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
ClamAV: Doc.Dropper.Agent-8133818-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-8133818-0
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `2b9edb9c0a41e023f4a439fcf51560dd4295058267616d5aab269cc904cc9ff7`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2075 bytes
`vbaProject_00.bin` `422692325bfca6eba345217a997ec825a707a4521e61d55b4d1d5d0060ee6b7c`	vba-project	OOXML VBA project: xl/vbaProject.bin	20992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.