Office (OOXML) / .XLSM malware analysis — malicious · 1cdc0c36ddb9c985

MALICIOUS

Office (OOXML) / .XLSM

45.2 KB Created: 2022-07-20 09:00:31 UTC Authoring application: 16.0300 First seen: 2022-07-21

MD5: 87780a3379d6cfe3d2d5f6c2b6e80837 SHA-1: a94fa02101068469dd2e445a38f41c2090c24227 SHA-256: 1cdc0c36ddb9c98529f73e325411d09c5f3b2a75c4de5440c8314c0266d5efcc

168 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The critical heuristic OLE_VBA_HTTP_DROP_EXEC indicates that the VBA macro downloads a file from the internet and saves it to disk. The script also uses CreateObject and GetObject calls, common in macro-based malware. The Environ() call suggests it may write to the temporary directory, as indicated by the IOC 'TEmp\'. The exact download URL and final payload are not directly visible due to obfuscation in the script.

Heuristics 5

VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `46be2829e77a3628e528d8e2dcee67271fedc0cdadddd9e1d084a3e17e42a617`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	3728 bytes
`vbaProject_00.bin` `5f7e04a3a6b0cbf656c54ab475b76d7a7b585e213edf05510e84b06457973a00`	vba-project	OOXML VBA project: xl/vbaProject.bin	31232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.