Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 0e887a7032f53e9f…

MALICIOUS

Office (OOXML) / .XLSM

17.8 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-05-17
MD5: 609062e34104477297d166aa2be5b89c SHA-1: 4747ec665f6a5913d0e62ddd17b83dbffd42f87e SHA-256: 0e887a7032f53e9f574c13eb52c75cb830832b2a526a57b38283a7a2c6f43e57
330 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an XLSM file containing a Workbook_Open VBA macro. This macro executes a second-stage payload by calling mshta.exe with a URL pointing to a JavaScript file. The JavaScript file is likely responsible for downloading and executing further malicious content. The use of VBA macros and the execution of external scripts are common techniques for initial payload delivery.

Heuristics 9

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • ClamAV: Xls.Trojan.Generic-9994593-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Generic-9994593-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bitbucket.org/!api/2.0/snippets/rikimartinplace/kqpqqo/cc4b581b0383210621ebf6bf29a63d4b76fc335e/files/charlesfinal

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
9cdfaf46c51eb8420658f65805358f69d34e9cc34ad054604563d5df244a8c58		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2147 bytes
vbaProject_00.bin
dec8814a61c1a68ad769e4d580a21cc235e6158ab7bd4abb7c58baf18ec82575		 vba-project OOXML VBA project: xl/vbaProject.bin 24576 bytes
Detection
ClamAV: Xls.Trojan.Generic-9994593-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.