Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 26cedbf0b944eee9…

MALICIOUS

Office (OOXML) / .XLSX

294.2 KB Created: 2021-04-14 15:44:48 UTC Authoring application: Microsoft Excel 15.0300
MD5: e1b2c0aa2862803da121c241dd8d4aef SHA-1: 44539017fed3c32688068727ef30b9fd25d1ecea SHA-256: 26cedbf0b944eee946f337d1df5cacdf603c1cc847563f70de7098872420e185
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.002 Spearphishing Attachment

The sample contains a Workbook_Open macro, indicating automatic execution upon opening. The macro utilizes CreateObject and Environ calls, suggesting it attempts to interact with the system or environment to download and execute a second-stage payload from the numerous embedded URLs. The obfuscated VBA code and the presence of multiple suspicious URLs strongly indicate a malicious downloader.

Heuristics 6

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://api.magicalabs.com/hHVaGPuBT9dSxh.php
    • https://ritikcontainerservice.com/gallery/75rrvlzZ.php
    • https://keisie.university/machform/lib/google-api-client/monolog/monolog/BLWOdJPA.php
    • https://demo.ultrasoftsys.com/veeva/wp-content/plugins/mystickyelements/css/mLr12jjG.php
    • https://ziengineeringco.com/project-arab-contracting/css/dAHBzO4XG.php
    • https://erlima.com/userfiles/_thumbs/Images/_vti_cnf/3dlbKnTC.php
    • https://razapparelsbd.com/ima/wp-content/uploads/2021/01/StSke0U0.php
    • https://rutasmovil.mx/bar/lib/datatables/Buttons-1.2.2/css/X1hUY4rqtmPDv1O.php
    • https://oremoralesabogados.com.pe/Scripts/WqPCodwcgmkqSZ.php
    • https://kanun.ml/lib/animate/LZ5qvMji5r.php

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7d9159e0d5e8bbb164550d37d8c6ff40cd022617254ce66e965cdd872397fd6b		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 81581 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 31 Chr/ChrW string-construction calls. Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
7d7f96e0457782071877a8cc7dd38f07b93a1cf34f3ce594cb914f64c7ec195b		 vba-project OOXML VBA project: xl/vbaProject.bin 236032 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.