Office (OOXML) / .XLSM malware analysis — malicious · 13699f1597f146e2

MALICIOUS

Office (OOXML) / .XLSM

102.8 KB Created: 2021-08-19 14:03:52 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2021-10-23

MD5: 3bcbe33f84954f3491e096ba5bceb094 SHA-1: 63a7e032140ccdca9e86c636d9f763a8ffd4d1c3 SHA-256: 13699f1597f146e229eb8edabadf3068f3a3a2673f821b046759fc41ba94d637

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros that utilize the Shell() function and obfuscated string concatenation to construct and execute a PowerShell command. This command is designed to download and execute a second-stage payload from the URL '3.64.251.139/v3/new_77108081231.exe'. The use of obfuscation and the execution of a downloaded payload are strong indicators of malicious intent, likely for further system compromise.

Heuristics 3

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `a9daa837c6f0414f016d4dd8c0f8813762742929efaa866b55832f7064266039`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2345 bytes
`vbaProject_00.bin` `09210385a8b97621d0b462450d3fd872ef0b984e134bef9fd4735839f6916b13`	vba-project	OOXML VBA project: xl/vbaProject.bin	6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.