Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 2b0c5224050242b2…

MALICIOUS

Office (OOXML) / .XLSX

68.1 KB Created: 2012-10-19 22:33:57 UTC Authoring application: Microsoft Excel 12.0000
MD5: 36440f63c73652e73f0487907b2e8ca5 SHA-1: ddf463773c3b7b2b3668379821bc6d31931e369a SHA-256: 2b0c5224050242b238dc90fe1170856c59c2083836b4472e0e70ebf386c378a9
208 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1218 Signed Binary Proxy Execution

The critical heuristic 'LOLBin reference in VBA' combined with the 'Workbook_Open' macro firing indicates that the sample is designed to execute arbitrary code upon opening. The VBA script attempts to create a file in the user's profile directory and uses 'CreateObject' to instantiate COM objects, which are common techniques for downloading and executing further payloads. The script's intent is to download and execute a second-stage payload, as evidenced by the file creation and the use of COM objects.

Heuristics 6

  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e6e3c109fe026cea7f35a38859ef4eebbe0b830264185aaff48e1bc8d1840cdb		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3517 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
7c5dc3e42d8e2c9759d6d95d15966c245b45f677ed9e41165599216595391025		 vba-project OOXML VBA project: xl/vbaProject.bin 16896 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.