Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 38ffdb2d6f9b160e…

MALICIOUS

Office (OOXML) / .XLSM

70.2 KB Created: 2020-05-20 10:51:53 UTC Authoring application: Microsoft Excel 16.0300
MD5: d887b01f72859260acf3ebaa71f3d017 SHA-1: 5afed8a0d09f4389f74f5b7b18a6bbf7e1768a71 SHA-256: 38ffdb2d6f9b160eed1502d6cdd7af90acb31dabb747e88226a2689041d23b2d
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The sample is an XLSM file containing VBA macros. Critical heuristics indicate the use of Shell() and WScript.Shell, suggesting the macros are designed to execute arbitrary commands. The ClamAV detection name 'Doc.Dropper.Agent-7855339-0' further supports that this is a dropper. The macros likely download and execute a second-stage payload.

Heuristics 6

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • ClamAV: Doc.Dropper.Agent-7855339-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7855339-0
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
89c2b820481039c3de18fd25a0da029ccf663aacb95eb1ec342b943b38135243		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1339 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
vbaProject_00.bin
9971290ce6c16bf6c51acf40cb2ad3d209be9a1667e274b1f42f021330cbd39f		 vba-project OOXML VBA project: xl/vbaProject.bin 16896 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
emf_00.emf
78351c630129b768cd66884baebab8b62e4ded3490f425e9440c6282c681c9ae		 ooxml-emf OOXML EMF part: xl/media/image1.emf 2748 bytes
emf_01.emf
3dc347a35e0db4ff1f94190b4e5af4f23db5ac24f1978b95ae0f0a933fae8b57		 ooxml-emf OOXML EMF part: xl/media/image2.emf 1976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.