Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 08868ca3492a70ea…

MALICIOUS

Office (OOXML) / .XLSM

53.9 KB Created: 2022-05-03 12:53:32 UTC Authoring application: 16.0300 First seen: 2022-05-04
MD5: bda0c23f9cd91512429cb679d411966e SHA-1: b6e1d02a0e70b2ffdee948af391d4079a223b74a SHA-256: 08868ca3492a70ea18bd7016bb60a659c6d36e0f5283760ebf786eecbc3d10b8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an XLSM file containing VBA macros. The heuristics indicate the presence of a VBA project, a CreateObject call, and specifically the URLDownloadToFile function, which is commonly used to download malicious payloads. The VBA script itself appears to be attempting to download a second-stage payload, although the exact URL is not directly visible in the provided excerpt. The document body text is nonsensical and likely obfuscation.

Heuristics 3

  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ab91113eb00f7e3a3ee63743a744c58f38424c9145eb2ef415e04645a2db30e9		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 10908 bytes
vbaProject_00.bin
4a2cbc804f4be7d0c08e75247d1ec2530c17653ab74e315963dcbde3822657a7		 vba-project OOXML VBA project: xl/vbaProject.bin 38400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.