Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 36ba3a601aaa5373…

MALICIOUS

Office (OOXML) / .XLSM

42.6 KB Created: 2022-05-22 13:32:02 UTC Authoring application: 16.0300 First seen: 2022-05-25
MD5: ccd24ddff1ae173db4cb2f572a161782 SHA-1: a30ea7d421a0ee43991c1a0727ce0c272dc0d744 SHA-256: 36ba3a601aaa53738551dca35d7e722554700f884b433ab16f5a39b35bae3b96
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1059.003 Windows Command Shell

The sample is an XLSM file containing VBA macros. The macros utilize the URLDownloadToFileA API to download a second-stage payload from a URL constructed from concatenated strings within the document, and then execute it using the Shell() function. The reconstructed URL is 'C:\Users\<user>\AppData\Local\Temp\1.exe'. The script also attempts to execute 'calc' and the downloaded file.

Heuristics 4

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b958b19c1e4f14ba0dceda51c9aee6b6c576c19e1d9a42c5946c7f1c25b3886e		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1800 bytes
vbaProject_00.bin
efca8b320a41473397ad07f85aa7cd3f53ae1a59082855b4152e964571d8de62		 vba-project OOXML VBA project: xl/vbaProject.bin 16896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.