Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 299856a16993ee0a…

MALICIOUS

Office (OOXML) / .XLSM

437.6 KB Created: 2021-07-28 10:37:27 UTC Authoring application: Microsoft Excel 12.0000
MD5: 27c1ef0b4a6201e9ec6eb38524dcc199 SHA-1: 630a1402e1aae21eeff4d621dc3e60d994ac155f SHA-256: 299856a16993ee0a251e90e2ae71e986ca6582c476a090973d6c15313fa7c32b
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File T1059.005 Visual Basic

This XLSM document contains a Workbook_Open macro that is designed to execute a command. The macro reconstructs a command string by concatenating environment variables and cell values, which appears to be 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy'. It then uses CreateObject to execute this command, likely downloading and running a second-stage payload. The heuristic 'SE_CLIPBOARD_COMMAND_LURE' indicates the document likely instructs the user to copy and paste content into a shell, facilitating the execution.

Heuristics 6

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
62cbfc9a54432db4a231a4401fa587b59d9f89a8f0bc7439262f125474541984		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1200 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
2bbf1c24eea004354dc821bcb73c39adf2a4836fd81c1b8023145c45eb9c6927		 vba-project OOXML VBA project: xl/vbaProject.bin 9216 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.