Office (OOXML) / .XLSX malware analysis — malicious · 3504872c9d3a369c

MALICIOUS

Office (OOXML) / .XLSX

44.5 KB Created: 2020-02-01 18:28:07 UTC Authoring application: Microsoft Excel 12.0000

MD5: f30e1126184a961300cc304ade24259d SHA-1: 6000e8b9ec75317de3c7265a01cb101af109b0c1 SHA-256: 3504872c9d3a369cce6882e8b072a00f7a2715074bf1a7727bcb1152ecfb2632

380 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The file contains a VBA macro with an Auto_Open function, which is a common technique for initial execution. The macro utilizes WScript.Shell and CreateObject to execute a Base64-decoded command that downloads a PE file from the URL http://198.12.66.107/XdlzBPT.exe. This indicates a downloader or droppper functionality.

Heuristics 9

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/oleObject3.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGER

VBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.

URL http://198.12.66.107/XdlzBPT.exe
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object

Extracted artifacts 9

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `21aaee108925c67b1fb38b2b2d972435e24bdf8e8855eed95a100831d7e82929`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	14748 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 1 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.
`ooxml_oleobject_00.bin` `6cd73f15b74e03d90e8d8f88ec9cbb3032bafeefc1026727883d9f3cc83c62b9`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/oleObject3.bin	5936 bytes
`ooxml_oleobject_01.bin` `4a34a063671e6635de9bc844d7ea47230b2b92b15fab10cbe355a0946a1624c1`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/oleObject2.bin	9216 bytes
`ooxml_oleobject_01_ole10native_00.bin` `7fb041e4541b5849ddd8e2f9c517d26009640f9f03226f29ab88210668c93822`	ole-package	OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native	6353 bytes
`ooxml_oleobject_02.bin` `3c4b6effdfb24f16970eeae6674574f82fc27622256008fbf003fc9f7aa61cfb`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/oleObject1.bin	3584 bytes
`ooxml_oleobject_02_ole10native_00.bin` `d8a67d6a3a775520ff29e6d5b483b0b19b557e7510062596622ebb6b19e5c0df`	ole-package	OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native	939 bytes
`ooxml_oleobject_03.bin` `5154c754ec4d7b82addafcdf231bf35e76e63591da68dba19ebce939e051ce16`	ooxml-ole-object	OOXML embedded OLE part: xl/vbaProject.bin	35328 bytes
`emf_00.emf` `979dde2aed02f077c16ae53546c6df9eed40e8386d6db6fc36aee9f966d2cb82`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	4968 bytes
`emf_01.emf` `4d4d1e7b04c99dcb8e885915068ad6f74cc2333e91580cdae5ccaa00c427247f`	ooxml-emf	OOXML EMF part: xl/media/image2.emf	1536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.