Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 34bb7de68ae7f7ce…

MALICIOUS

Office (OOXML) / .XLSM

102.8 KB Created: 2021-08-19 14:03:52 UTC Authoring application: Microsoft Excel 15.0300
MD5: 9c4a5c1d8911a46ea1695d6f1a7c577a SHA-1: 2859e2cb0dcd3100a32f8da04f751ba9f7e6fc21 SHA-256: 34bb7de68ae7f7ce9202f28f66c7b8b205bbaacb05d0ac565527f55117e04682
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell

The critical heuristic 'OLE_VBA_SHELL' indicates the presence of a Shell() call within the VBA macros. The script reconstructs a PowerShell command to download a second-stage executable from 'http://srotoswinisubarnarekgna.com/wp-content/2938258452.exe' and save it as '%ENV:APPDATA%\ProCName'. It then executes this downloaded file via a temporary batch script named 'Ptznfxewpo.bat'. The Workbook_Activate event triggers this malicious behavior upon opening the document.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e03012c7711882ca8f1aa8645ac59c9ba22490f9602573be754b607ee56f5948		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2347 bytes
vbaProject_00.bin
83f722272910854fcfe545d29b04ea99d54ee5da8636a0a44707f3aa5eb74cc1		 vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.