Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 2d4f09faf4e05143…

MALICIOUS

Office (OOXML) / .XLSX

18.6 KB Created: 2021-06-25 03:36:50 UTC Authoring application: Microsoft Excel 16.0300
MD5: 25f54ea5ad76cf19f44fee995d489779 SHA-1: f036aa9ebf5f76b62c067b4fa1f7d23d947cc655 SHA-256: 2d4f09faf4e05143af1a25073ae60599cf10f9954f3157eea49493aa76e5f310
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1566.002 Spearphishing Attachment

The file is a macro-enabled Excel document containing a Workbook_Open macro that utilizes the Shell() function to execute code. The VBA script is heavily obfuscated, making it difficult to determine the exact payload or its destination. However, the presence of the Workbook_Open macro and the Shell() call strongly indicate an attempt to download and execute a secondary payload. The extracted artifacts 'macros.bas' and 'vbaProject_00.bin' are directly related to the macro execution.

Heuristics 5

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b30c5f7874359c860d73408cd84dc468e17e4cf0577bca693d9870bc1f403875		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 7748 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
cc9035b0d093f2690c495a0a37bcf1e2536365610e07ffbe8a7e9aa9fec9c272		 vba-project OOXML VBA project: xl/vbaProject.bin 25088 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.