Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 0e7520bbd98bd88a…

MALICIOUS

Office (OOXML) / .XLSM

153.4 KB Created: 2021-04-26 10:52:46 UTC Authoring application: Microsoft Excel 15.0300
MD5: 138b6130bc8972317c5a8c3cfee30165 SHA-1: c4fda917c74a6598043587e62eea2be06773a1d8 SHA-256: 0e7520bbd98bd88a056e76e7388047b6b387dfb4cae79a03c26b6f12bc624831
270 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

This XLSM file contains an obfuscated VBA macro that executes upon opening the workbook. The macro utilizes CreateObject to download and save a file from one of the provided URLs, and then likely executes it. The document body text, though heavily truncated, contains phrases like 'VIEW OR PRINT YOUR ORDER', suggesting a lure to trick the user into opening the malicious document.

Heuristics 8

  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://prothomsangbad24.com/wp-includes/js/tinymce/plugins/charmap/Aka3z22Go3.php
    • https://sistemasvip.com.br/profmobile/vendor/doctrine/annotations/docs/yN6mOpJ1jmbI.php
    • https://dumpster-ninja.com/wp-includes/R2C5G94Lj.php
    • https://request.dreamlandschools.com/surse/z35mkxS3.php
    • https://vancouverwebhosting.net/images/0T81Lvi9WmK.php
    • https://tojaco.co.uk/doj6dErUbir.php
    • https://jon.noesantara.id/wp-content/plugins/tablepress/i18n/datatables/A0CHn3Ff.php
    • https://boxdomfreight.com/wp-content/themes/twentynineteen/sass/blocks/aEbbSSZvS2.php
    • https://newdesignglobal.com/wp-includes/46qM2it4xi52F.php
    • https://berkdilelektrik.com/UserFiles/hNrs45j2n3mLRlO.php

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a49826d02c434f1b5f2e4de92f59bfce36807d523a9879eb47ede65afff4219d		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 10435 bytes
vbaProject_00.bin
b54be7f7dc71d127590b37a7a56dcdf8703a08da2976894c7f939d7aaa08630f		 vba-project OOXML VBA project: xl/vbaProject.bin 53760 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.