Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 259c6e87687cd644…

MALICIOUS

Office (OOXML) / .XLSX

79.6 KB Created: 2021-06-23 08:35:37 UTC Authoring application: Microsoft Excel 16.0300
MD5: 382d197eff08c1edb5ae48e5532a0d2d SHA-1: 63aca255f3fc377944e4ebdc680ae6a9c8db004b SHA-256: 259c6e87687cd6442535a1510fa36356049083ef812c09170e585666ba1b35da
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 Command and Scripting Interpreter T1071.001 Application Layer Compromise T1566.001 Phishing T1071.002 Remote Services - Web Service

Static analysis reveals the presence of a VBA project and workbook_open macro, both of which are commonly used in malicious Excel macros to initiate malicious activity upon document opening. The obfuscated VBA code, combined with the creation of COM objects, strongly suggests a downloader attempting to establish a connection to a remote server and download a payload. The extracted URLs, while currently unverified, further support this hypothesis. The macro's obfuscation is a typical tactic to evade detection.

Heuristics 4

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c9197c5627c05d46e233855a2423abec914c984a5c556b9b424bec7ca6b44450		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 32467 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 949 Chr/ChrW string-construction calls. Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
7d6da27f9e3dc2c2a979404037ac2639beac323c83bf7265bce2afbb938e6531		 vba-project OOXML VBA project: xl/vbaProject.bin 72704 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 Chr/ChrW string-construction calls. Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.