Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 392988c5f51a2a6d…

MALICIOUS

Office (OOXML) / .XLSX

62.3 KB Created: 2020-06-01 10:54:58 UTC Authoring application: 16.0300
MD5: fefe7184f1d5ce17b4f7bdc61b3bc2aa SHA-1: 24390451f80a55067f7877e635465411b07144b6 SHA-256: 392988c5f51a2a6d9ccb87b16d8b193b1dbb3325d3ca901e0dc9a2e60587f01e
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The sample is an OOXML document containing VBA macros. Critical heuristics indicate the use of Shell() and WScript.Shell, suggesting the macros are designed to execute arbitrary commands. The ClamAV detection name 'Doc.Dropper.Agent-7994926-0' further supports that this file acts as a dropper for malicious payloads. The macros likely download and execute a second-stage payload.

Heuristics 6

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • ClamAV: Doc.Dropper.Agent-7994926-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7994926-0
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
89a2b175bbc42cc3cf5e09b5ef369095f1d01df5215c7cf9f1e952584039c48e		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1125 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
vbaProject_00.bin
64b54b6d842fb8ece315ca59c931398b5035b9d207472e2d4b46a305380048c1		 vba-project OOXML VBA project: xl/vbaProject.bin 10752 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
emf_00.emf
3c7098ffdcd9f678a1aaaf6bae5fb75c25cca9ac8533dd1c4212109af7748ab1		 ooxml-emf OOXML EMF part: xl/media/image1.emf 1976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.