Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 1df26d9e84d6b5db…

MALICIOUS

Office (OOXML) / .XLSM

88.1 KB Created: 2021-10-23 15:11:41 UTC Authoring application: Microsoft Excel 15.0300
MD5: e79c8ae139145385ac0565a7760a7cb2 SHA-1: 686851c87cb8e738e83a3ac3e08840d1d3e20006 SHA-256: 1df26d9e84d6b5dba799751c2f1aed2234a3ce46a3bd93e20c686434d01d9a6f
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic

The sample is an XLSM file containing VBA macros. The VBA code constructs a PowerShell command to download a file named 'Sega4b.exe' from 'http://ddl8.data.hup/get/38505045/13105765/Sega4b.exe' and execute it. The script also attempts to save a batch file named 'Uyvkpyijlslw.bat' and potentially execute it. The presence of Shell() calls and the construction of a PowerShell command indicate a downloader functionality.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c633063ddddb95b68367864d7481650d98b2f35b0ef020cfdb22be971c14fbe4		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2499 bytes
vbaProject_00.bin
6a0e091227e57203319a248e7dbf92c4bab99af35a8ce2079b46599b4ccf31d2		 vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.