Office (OOXML) / .XLSM malware analysis — malicious · 3b437baa9a07e9de

MALICIOUS

Office (OOXML) / .XLSM

363.9 KB Created: 2021-08-19 14:03:52 UTC Authoring application: Microsoft Excel 15.0300

MD5: 08188e5102d3824ad530a21c1b25ad97 SHA-1: 1d5fb4b5a63f16d2c8bde8e42f9bc15fc8e1ff03 SHA-256: 3b437baa9a07e9dece2659f20b5d97f8f729ba077d399933041cdc656c8d4d04

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The sample is an XLSM file containing VBA macros. The Workbook_Activate subroutine constructs and executes a PowerShell command. This command decodes a Base64 string which, when decoded, reveals a PowerShell script that downloads an executable file from 'http://3.64.251.3/y3/2/Request0750002003.exe' and saves it as 'Whqamnfpgqes.exe' in the current directory, then executes it. The script also attempts to start the downloaded process. The VBA macro then saves the workbook, creates a batch file named 'Gqyztfbtsogpnruooqr.bat' containing the constructed PowerShell command, and executes this batch file. The primary intent is to download and execute a second-stage payload.

Heuristics 2

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `8ae4c80f890a4524f91a599df1c5619d02cb914d28a041cb14e95d5bc62d02b4`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2406 bytes
`vbaProject_00.bin` `17f37fb43ea6a31b0ec9742294c1f44ff2c054b2f351356cc0bb392f52dcd068`	vba-project	OOXML VBA project: xl/vbaProject.bin	6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.