Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 18b7b262e39ad207…

MALICIOUS

Office (OOXML) / .XLSM

20.1 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300
MD5: 5d112dfa99245a138bd39b2b2b883888 SHA-1: e3aecb0c368feda60af0bca800553df57c492090 SHA-256: 18b7b262e39ad207a18b57969e93ad68a545735a9a5e8605cdd551a650aa9de3
248 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is an XLSM file containing a Workbook_Open macro that executes a VBA subroutine. This subroutine creates a JavaScript file named 'browserapp.js' using content from 'Sheet2'.Range("BN811").Value and then executes it using 'wscript browserapp.js'. The JavaScript content appears to be heavily obfuscated but contains strings that suggest it attempts to download a second-stage payload from the URL 'http://66.165.246.88:1155/'. The presence of a Workbook_Open macro and the execution of external scripts are strong indicators of malicious intent.

Heuristics 7

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
268edd0dda2a1da8b18c524f53af31cb77a0b4e8275a4ae76d9060a628fe74ce		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1683 bytes
vbaProject_00.bin
32cdd102ed1aadd7d63acd455b76f7a9dd027629c1d7293499cb1e46569039bc		 vba-project OOXML VBA project: xl/vbaProject.bin 24064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.