Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 3fa582c6429bfe7c…

MALICIOUS

Office (OOXML) / .XLSM

13.1 KB Created: 2021-01-18 07:45:04 UTC Authoring application: Microsoft Excel 16.0300
MD5: d6db15ab7f42874b6bf76b6ea59be9a7 SHA-1: 5c2cd0f4131bf097493bda618d0bfbf1e7c24bf1 SHA-256: 3fa582c6429bfe7cb4932594db7265d2540256c36341194341b38511241bd3ec
268 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The presence of a Workbook_Open macro, coupled with critical firings for Shell() and WScript.Shell usage, indicates that this XLSM file is designed to automatically execute arbitrary code upon opening. The VBA macros likely download and execute a second-stage payload, leveraging the Windows command shell for execution.

Heuristics 7

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
040e380938c7f234b9fa3d698b86ae8412f1aaecd2274cdf8d2727df3f584fe5		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1483 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 1 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
8092f99712daf0a8490c38452c84ea65f278732edeb4373ad4c5e8e0260ad96c		 vba-project OOXML VBA project: xl/vbaProject.bin 15360 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 1 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.