Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 434904a61e7c19d3…

MALICIOUS

Office (OOXML) / .XLSM

54.1 KB Created: 2022-05-03 13:04:00 UTC Authoring application: 16.0300 First seen: 2022-05-04
MD5: 79a9ff12dec3d84ad79ae4da97b743ec SHA-1: 1f0f7378fddee1903646787c9d966222fa7df3b7 SHA-256: 434904a61e7c19d3896abb520229efa5fb5d9593ef396f65a147103c363b8378
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an XLSM file containing VBA macros. A critical heuristic firing indicates the presence of URLDownloadToFile, a common function used by malware to download second-stage payloads. The VBA code appears to be designed to execute this function, likely to fetch and run malicious content from a remote source. The document body text is nonsensical, suggesting it's either obfuscated or a lure.

Heuristics 3

  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b4900986e2f707cd8e4b8a32bd6de6389ac3dada71277fc11c6b3d8cd948c8e7		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 10895 bytes
vbaProject_00.bin
e4564cbe01afcc9cbd65849666ec21358d2f73d0d6a390ba14adf4be53f15860		 vba-project OOXML VBA project: xl/vbaProject.bin 38912 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.