Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 27c85758399e6f2f…

MALICIOUS

Office (OOXML) / .XLSM

102.8 KB Created: 2021-08-19 14:03:52 UTC Authoring application: Microsoft Excel 15.0300
MD5: d549a968611ad78f98bbef3010689d91 SHA-1: 0ae631fc1efb4fcce319db8615834b3089062b7a SHA-256: 27c85758399e6f2fc5245fbd45e4fad91097e79ca9ad1cbd51f098ed12ea191a
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

The critical heuristic firing for Shell() call in VBA, combined with the presence of VBA macros, indicates malicious intent. The Workbook_Activate subroutine reconstructs a PowerShell command that downloads a file from 'http://3.70.52.8/R1/Z/UYH302.exe' and saves it as '%ENV:APPDATA%\Gealrfuykle.exe', then executes it. This indicates the macro is acting as a downloader for a second-stage payload.

Heuristics 3

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7286ea2c3913224ebe21279d43c5fd4777785f8c2291223034e74a989602c38f		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2168 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
vbaProject_00.bin
7a8fe12da29989bc996040e6bc98e70381bbd0641dfd789ffea671607e3e14bd		 vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.