Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 12c3a9028c3fe274…

MALICIOUS

Office (OOXML) / .XLSX

111.6 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 12.0000
MD5: 0f951d95fae5bb52ffadef044e1bfd95 SHA-1: 25bb5d211cd07d4f27161bd1ead7286be9ddc4a8 SHA-256: 12c3a9028c3fe274798c6b20e7ce2f98bb03c0319640b30a72d711c994a513ec
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an Excel document containing a Workbook_Open VBA macro that executes obfuscated commands. The macro uses CreateObject to interact with the system and appears to download and execute files from several URLs. The presence of VBA macros and the Workbook_Open event strongly suggest a malicious document designed to deliver a payload, likely via spearphishing.

Heuristics 6

  • ClamAV: Doc.Malware.Valyria-10004384-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-10004384-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
527d0656a0c2c323955d068683ef8f7e20c035cda247a1e24383595c0eb3403b		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 7821 bytes
vbaProject_00.bin
62db80915ce3eb27223585685a25891bbd02ec6567928cb040771aa8bed3d5e2		 vba-project OOXML VBA project: xl/vbaProject.bin 37888 bytes
Detection
ClamAV: Doc.Malware.Valyria-10004384-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.