Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 04e7c6f36852658c…

MALICIOUS

Office (OOXML) / .XLSM

219.8 KB Created: 2021-05-07 12:33:38 UTC Authoring application: Microsoft Excel 15.0300
MD5: a250cafdf80db08881d86548a9565bb1 SHA-1: 45e0740cd344f741a1cefd61405781b40225fbb8 SHA-256: 04e7c6f36852658c9a75271f02acedfb52f5d8e9a1020817c0307c05772ac2c2
310 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is an XLSM file containing a Workbook_Open macro that executes code via CreateObject. This macro is designed to download a second-stage payload from one of the listed URLs using ADODB.Stream and save it as '15450.dll' in the AppData directory, likely for execution via rundll32.exe. The ClamAV detection and critical heuristic firings strongly indicate a downloader, consistent with the Dridex family, though specific attribution is not possible from the provided evidence.

Heuristics 9

  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
  • ClamAV: Xls.Downloader.TrendMicroDridex0521-9860965-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.TrendMicroDridex0521-9860965-0
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://argentinadanza.com/aljalil/pics/galery/100/vNvKtlT1.php
    • https://aaftab.org/wp-content/plugins_/td-composer/td-multi-purpose/css/jPar115kAGV.php
    • https://sezencin.com/ozzzpanel/js/mylibs/forms/uploader/864sv4ph.php
    • https://ctfiladelfia.projetosestruturais.com/LR7u0G1zGjUJ.php
    • https://intecmmesac.com/images/5xK5fW2OdjtD.php
    • https://abgalecontractors.co.ke/wp-content/themes/twentynineteen/template-parts/content/eCcJg9X3R6V.php
    • https://blog.techdesigners.ir/ytlRUHwAF.php
    • https://jajainfo.net/zm/wp-content/uploads/2013/06/b4KjNHHVq5p.php
    • https://theaccentchairs.com/wp-content/plugins/woocommerce/vendor/automattic/rWohwKVhOY7IPnR.php

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1855bbc60f784b9b19e7317d8e23b265ae75a34323e3aa55ecc33017a309f573		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 40894 bytes
vbaProject_00.bin
14a5347e6b72c6a6701e4cc697c6657d730aeeb8833712b70cf77a199afa7f58		 vba-project OOXML VBA project: xl/vbaProject.bin 256000 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.