Office (OOXML) / .XLSM malware analysis — malicious · 1112423db7e3af4f

MALICIOUS

Office (OOXML) / .XLSM

220.0 KB Created: 2021-05-07 12:33:53 UTC Authoring application: Microsoft Excel 15.0300

MD5: ed9cd32c1289a2d49cec62f9666c171e SHA-1: 93c6d868fe0b1363aca94c26ddb0aa2d1a8ceea7 SHA-256: 1112423db7e3af4f23267cacfc4f9edcc9180531415b8341f311faa5b2855430

310 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The critical heuristic 'OLE_VBA_HTTP_DROP_EXEC' indicates that the VBA macro downloads a file from an HTTP URL and saves it to disk. The Workbook_Open macro is present, suggesting automatic execution upon opening the document. The presence of 'rundll32.exe Wscript.Shell' and 'CreateObject' calls further supports the execution of downloaded payloads. The sample is detected as 'Xls.Downloader.TrendMicroDridex0521-9860965-0' by ClamAV, confirming its downloader functionality.

Heuristics 9

VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
ClamAV: Xls.Downloader.TrendMicroDridex0521-9860965-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.TrendMicroDridex0521-9860965-0
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://support.groci.co.ke/qxdVqYUTid.php
- https://cartoonist.me.uk/wp-content/plugins/jetpack/scss/_utilities/us1svv7BFHAuE.php
- https://certifica.app.infoweb.boatcover.org/dt_091901820028/condivise/immagini/icone/icone-default-on/2NJsNm1KQuTMMVo.php
- https://sezencin.com/ozzzpanel/js/mylibs/forms/uploader/864sv4ph.php
- https://buyjointsonline.com/wp-content/plugins/wpforms-lite/templates/emails/pM44c3eiAK6.php
- https://shoreline.revivedevelopment.com/include/class/adodb/adodbSQL_drivers/msql/LkyCKhnFyR.php
- https://a14.fiveghosting.com/fBSkQClRc.php
- https://37.fiveghosting.com/YyXdbwCNNeEkw.php
- https://2nub.es/lib/js/prettyphoto/images/prettyPhoto/DDndV1TI5lvC3M7.php
- https://trenerwpoznaniu.pl/classes/tinymce/themes/inlite/config/WjCKp9Cb.php

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `7a2dfb81894b06eac4fcb4c56601f4f1de535a7bd617f60a54e2c2174c66bfb2`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	42789 bytes
`vbaProject_00.bin` `062ebb7c5a5c18c2ea4a4d9044518f48c9ddca93f08c458dd40db4530c3cba6f`	vba-project	OOXML VBA project: xl/vbaProject.bin	265728 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.