Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 28e6b8ecae6692df…

MALICIOUS

Office (OOXML) / .XLSM

304.3 KB Created: 2021-04-12 15:33:32 UTC Authoring application: Microsoft Excel 15.0300
MD5: af4c749508c43b22a65112b5236ed31c SHA-1: e32f704b61c9ff44fc72b84be99f72b9dec94b12 SHA-256: 28e6b8ecae6692df4f9e19f5f4447351c4baf93233676e846a9d8fcc70cc5da6
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.002 Spearphishing Attachment

The sample is an XLSM file containing VBA macros, with a Workbook_Open macro detected. The script uses CreateObject and Environ() calls, and exhibits string obfuscation. The embedded URLs in the document body are likely used to download and execute a second-stage payload. The combination of macro execution and embedded URLs strongly suggests a malicious intent to compromise the user's system.

Heuristics 6

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://expoze360.com/wsb/smm/vendor/ramsey/uuid/YZnmmdRaNYeP.php
    • https://opticahealthvision.com/wp-includes/js/tinymce/themes/inlite/6oc5yCaQGY0zv.php
    • https://razapparelsbd.com/ima/wp-content/uploads/2021/01/Oyo18x4LVQqNgYy.php
    • https://ingtedis.com/resources/chAczm9XTT0VY4.php
    • https://platinumlabel.net/wp-content/plugins/jetpack/modules/after-the-deadline/ULKnO8sQ4.php
    • https://standard.techfreestore.com/KJStyqxJw.php
    • https://rockin1000.com.br/code/img/SocialMedia/IThiDYMU.php
    • https://wordpress.interactivolive.com/etum/aulavirtual/mod/url/backup/fmlveNkcm0oW.php
    • https://lyonfruit.com/images/tEK1sLUx4BK.php

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
4c029a54e5f0a691445e2affade9cf19d750d1f7a7c9f6556ff9de04b39121bd		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 83877 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 24 Chr/ChrW string-construction calls. Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
e5e86285502bb46010be61d467f07a01d2bd707c2dd5c18116637dedc8def161		 vba-project OOXML VBA project: xl/vbaProject.bin 242176 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.