Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 15776ea80b830961…

MALICIOUS

Office (OOXML) / .XLSM

235.7 KB Created: 2022-02-24 14:05:54 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-05-06
MD5: 151454729768e50d03a6a8392bfde7b7 SHA-1: 3a26ccc0f6df99cfbf8419715aef001e2eb4410b SHA-256: 15776ea80b830961a7819d6fbfd9c84976dd521043134823aa8cbc946f85eeea
230 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

This XLSM file contains VBA macros that utilize the Shell() function and reference cmd.exe, indicating an attempt to execute arbitrary commands. The obfuscation technique of reassembling 'Wscript.Shell' from split string literals further suggests malicious intent. The script likely downloads and executes a second-stage payload, although the specific URL is not directly present in the provided evidence.

Heuristics 7

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: https://support.microsoft.com/
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://support.microsoft.com/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a67080f1dbdc9bbd7085e6b64a04ee49645909f93009375770d6861c34407a02		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 9145 bytes
vbaProject_00.bin
5fecb44f485f79ac5d447f63b158880e4e24eb18f2cdb1ef59b8ac3ac8d8b46a		 vba-project OOXML VBA project: xl/vbaProject.bin 37376 bytes
emf_00.emf
e803889bffeba5d2ecda7209e3aac425b9da6a467730a3948dde3e89fa3cae3f		 ooxml-emf OOXML EMF part: xl/media/image1.emf 2784 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.