Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 35733630b962758e…

MALICIOUS

Office (OOXML) / .XLSM

45.1 KB Created: 2022-04-28 08:45:14 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-04-28
MD5: eaa1f667ddab1bc756b5301874c281c2 SHA-1: 8401216e648cc9780eda6a8bc5b27c8a80d87a87 SHA-256: 35733630b962758efb6fa9665592bac54f3e7af215655291781b0222fbabec22
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The XLSM file contains VBA macros, indicated by the OOXML_VBA heuristic. The critical OLE_VBA_DOWNLOAD heuristic and the presence of the URLDownloadToFile function in the script strongly suggest that the macro is designed to download and execute a second-stage payload from a remote URL. The script also contains API declarations for process manipulation, further supporting the execution of downloaded content.

Heuristics 3

  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
6137c4ad6e92b6d7ecfeb384516569816dcbd1100d20254d64c8ec7265379519		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 10921 bytes
vbaProject_00.bin
753b2f3014c087fd0a71596323c36fc6c3d86f4bd2e0675a677c708ec2234162		 vba-project OOXML VBA project: xl/vbaProject.bin 38912 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.