Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 161072e241f0f02e…

MALICIOUS

Office (OOXML) / .XLSM

498.5 KB Created: 2016-10-19 22:49:03 UTC Authoring application: Microsoft Excel 16.0300
MD5: 3d3269f490e3ec46d10d4a0351e96bd9 SHA-1: 2c05a43f371230192241b1cdac105fe49591df2b SHA-256: 161072e241f0f02e9aa150f92f802764571b86314a3316366e337c1e68da4602
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is an Excel macro-enabled spreadsheet (XLSM) that contains an Auto_Open macro. This macro utilizes WScript.Shell to create a VBScript file in the user's startup folder. The VBScript then attempts to download a second-stage payload from the hardcoded URL http://206.189.14.107/54522962/?uid=, incorporating system information into the request. This indicates a downloader or droppper functionality.

Heuristics 8

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://206.189.14.107/54522962/?uid=
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
49e49985bcff31b83d09144bfd65ce40cf82569cc3e75132cc2ffed091faa3f6		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2047 bytes
ooxml_oleobject_00.bin
43ba8a3891e28dc8386cedcbfbeeca635e8f02120cf1aa746986fccbe45f7234		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Microsoft_Word_97_-_2003_Document1.doc 284160 bytes
ooxml_oleobject_01.bin
403b88f5ec4910d42f755af026a984696f3444856bc7c90975c65baa2e7f3f64		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Microsoft_Word_97_-_2003_Document.doc 48128 bytes
vbaProject_00.bin
4b9bdca3a33fc681aa0dbce1ac9b51425fcf801a2b255132c19a92710ff4bd96		 vba-project OOXML VBA project: xl/vbaProject.bin 12800 bytes
emf_00.emf
8999bf672abc83d9e1975b6df0f72fe9c262e2afd3f04c630202f355d9e32805		 ooxml-emf OOXML EMF part: xl/media/image2.emf 110884 bytes
emf_01.emf
3bea8295b1f6464ea417cfa969d24fde876c33c665ce100f100ff760fc7f593c		 ooxml-emf OOXML EMF part: xl/media/image1.emf 13176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.