Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 10782303485dee4f…

MALICIOUS

Office (OOXML) / .XLSX

12.7 KB Created: 2022-05-12 01:30:58 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-05-12
MD5: 8b7c54f1404c7a809f36480a4eef34b7 SHA-1: d9923abae69904383cbb17e24efde17163697422 SHA-256: 10782303485dee4f558b21984dc9af1beca7537c4666d17756a179b7f152c432
302 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1071.001 Web Protocols

The sample is an Excel file containing obfuscated VBA macros. The Workbook_Open macro is triggered upon opening, displaying a fake error message to the user. It then proceeds to decode and likely execute a second-stage payload, as indicated by the use of Shell() and GetObject() calls, and the presence of an embedded URL which is confirmed benign but likely a placeholder. The obfuscation and auto-execution mechanism suggest a downloader or droppper.

Heuristics 8

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: xl/~!~!~!.~!~!~!)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://42502d2a-e7ed-4a16-9f11-33ffe6c54021.usrfiles.com/ugd/42502d_9b82590c8e324ebd9a815121cac32479.txt

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
834bc7ef54ec225ea31615e1160a20a24640b48b146679f6c59d70b0fe79e6a8		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3601 bytes
vbaProject_00.bin
2fe7a63c5f4d16a91da1d8e58f01d1264610113935738de38b1d59288a17abb9		 vba-project OOXML VBA project: xl/~!~!~!.~!~!~! 14848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.