Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 06ac8fccb3c4f3fe…

MALICIOUS

Office (OOXML) / .XLSX

111.6 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 12.0000
MD5: 055a552b4a682240c220b695dee77a90 SHA-1: 38ccf9c5436ab14a6daec478bfd0557b5d02a5f4 SHA-256: 06ac8fccb3c4f3fe4e2e10a7745c9efa38cd7fcf94a60b52daa30ff6e327ae11
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is an Excel document containing a Workbook_Open VBA macro that executes obfuscated commands. The macro uses CreateObject to interact with the system, and the obfuscated commands in the document body attempt to create and execute batch and VBScript files from the 'c:\programdata' directory. The script also contains multiple URLs that are likely used to download additional malicious content, suggesting a downloader or droppper functionality.

Heuristics 6

  • ClamAV: Doc.Malware.Valyria-10004384-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-10004384-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
527d0656a0c2c323955d068683ef8f7e20c035cda247a1e24383595c0eb3403b		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 7821 bytes
vbaProject_00.bin
875d28c8d34c30c31a8f652fb8b7eab1e509593b31fc1fbfc7fd8b33be693794		 vba-project OOXML VBA project: xl/vbaProject.bin 37888 bytes
Detection
ClamAV: Doc.Malware.Valyria-10004384-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.