Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 09d38e65a1a77eaa…

MALICIOUS

Office (OOXML) / .XLSX

145.1 KB Created: 2021-04-21 12:59:58 UTC Authoring application: Microsoft Excel 15.0300
MD5: 150f31cf21deaa58ed54c8a8f9e648ea SHA-1: b50f54e7c82a33e38335fb3b58ca8be0c5d2661c SHA-256: 09d38e65a1a77eaa24e407e78427f96ca707540693eb9ae988e4016c19d986a1
270 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is an Excel file containing an obfuscated VBA macro that executes upon opening the workbook. This macro is designed to download and execute a second-stage payload from one of the provided URLs. The critical heuristic 'OLE_VBA_HTTP_DROP_EXEC' confirms the download and execution capability, indicating a downloader or droppper functionality.

Heuristics 8

  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://oic.gov.pg/wp-content/plugins/smart-slider-3/Nextend/SmartSlider3/Platform/WordPress/Integration/Divi/V31ge/includes/modules/SmartSlider3FullWidth/3TktARjwB2fpVk.php
    • https://fastglobalcourier.com/wN9Xf18geVgQXZ.php
    • https://zile75yilasm.com/tmp/install_4dbf17ff8c4a3/mod_vvisit_counter/images/digit_counter/RsJQrl381qAv.php
    • https://menu.liftbakery.cafe/wp-content/plugins/mailchimp-for-wp/integrations/affiliatewp/UBP6DNfuHVjo9.php
    • https://grupo-gessa.com/YvSbL3zjYQ.php
    • https://sweetpapas.com/wp-content/plugins/really-simple-ssl/testssl/cloudflare/XGeXzH8b.php
    • https://jbbackgrounds.com/library-aquarium-backgrounds/jb/full/uYE01HW3oO.php
    • https://jireh.e-cross.app/question/behaviour/adaptive/classes/privacy/mLi2iXgc2TVX.php

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
16a51c71bb5a07f0d9b3bd1840b6c3188525cb62508950e9617a26d0b08abec1		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 8762 bytes
vbaProject_00.bin
5ee0507c73f4d6afdb5f4c507f2c35be16a7b9debfa55b419222cc4632dea4e2		 vba-project OOXML VBA project: xl/vbaProject.bin 56320 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.