Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 17dfcd00aaef443f…

MALICIOUS

Office (OOXML)

15.0 KB Created: 2021-07-16 21:12:58 UTC Authoring application: Microsoft Excel 16.0300
MD5: c8929b9b9ab2f41bc439975a12b808ea SHA-1: 057815196e95dcf5617d985c38c91cf09f6dda86 SHA-256: 17dfcd00aaef443faa53c93cfe8ef35bb802c3419ec2b084a44da9ec51869031
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1053.005 Scheduled Task/Job

The VBA macro contains a critical heuristic firing for URLDownloadToFile, indicating it downloads a file from a remote URL. The script reconstructs the URL as "https://upload.wikimedia.org/wikipedia/commons/thumb/7/75/Hong_Kong_at_night.jpg/2400px-Hong_Kong_at_night.jpg" and saves it as "C:\Users\Public\Pictures\HK Skyline.jpg". It then attempts to execute "Notepad.exe" using Win32_Process.Create, likely to launch a second-stage payload.

Heuristics 3

  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
2b0194e9756bead3fa56aa85dcbbd19c20bed9aab597d3c625d52111f8c36bab		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1733 bytes
vbaProject_00.bin
bed9c608f961db62c5f1bddc2322d4cff808a1c50788c0034284046488f46ea7		 vba-project OOXML VBA project: xl/vbaProject.bin 18944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.