Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 40d1d3def95ad310…

MALICIOUS

Office (OOXML) / .XLSM

117.5 KB Created: 2021-08-19 14:03:52 UTC Authoring application: Microsoft Excel 16.0300
MD5: 1e6ea6bd0af320b37d888f2c92400f0d SHA-1: cf48394f603712907c651a36cd0e2d1b362f9299 SHA-256: 40d1d3def95ad310b2aabcfacebcae1be206316be9b006da78092647614dcc95
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The VBA macro contains obfuscated PowerShell commands. The script decodes a Base64 string which, when reconstructed, reveals a PowerShell command to download an executable file from 'http://coaccharmemwilliams.com/C87b1mDLYqpH300620IMG.exe' and save it as '%APPDATA%\ProcName'. It then attempts to execute this downloaded file. The presence of a Shell() call in VBA and the embedded PowerShell script strongly indicate a malicious downloader.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8492567d4bf02d9f071d930b652911a19fccd9565f0d68c5bb71970eb1e10853		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2688 bytes
vbaProject_00.bin
cb329156baa56749a3c15b18ec6d5cbe7c87cd0cd9a5ecc2774dd112512d46fc		 vba-project OOXML VBA project: xl/vbaProject.bin 19456 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.