Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 28f4375d936d86a5…

MALICIOUS

Office (OOXML) / .XLSM

30.1 KB Created: 2022-06-06 14:15:08 UTC Authoring application: 16.0300 First seen: 2022-06-08
MD5: ec06b44da0f00666c66e808d0484876b SHA-1: 3a6625c20b7825ceb9539bcb04b26a3a68a14a34 SHA-256: 28f4375d936d86a58499f30c79813b9d30d6ecc9c4c2ce7824ab203986eea8bd
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1059.003 Windows Command Shell

The sample is an XLSM file containing VBA macros. The critical heuristic OLE_VBA_DOWNLOAD indicates the use of URLDownloadToFileA, which is used in the `CentraForm` subroutine to download a file from an embedded URL. The critical heuristic OLE_VBA_SHELL indicates the use of Shell(), which is used in the `AswcC` function to execute the downloaded file. The reconstructed URL is not fully available due to truncation, but the script attempts to save the payload to a file named '198.vbs' in the user's public directory. The script also attempts to execute this downloaded file using cmd.exe.

Heuristics 4

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
aba2a2a5f2d8a917c531c7095cc16aea128426b94f1b94dee69828c65d535655		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2101 bytes
vbaProject_00.bin
187bb028675451f6690c5ba7a980e69b38816161b7188789138e747c5421d5bf		 vba-project OOXML VBA project: xl/vbaProject.bin 17408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.