Office (OOXML) / .XLSM malware analysis — malicious · 46c635757927550c

MALICIOUS

Office (OOXML) / .XLSM

102.9 KB Created: 2021-08-19 14:03:52 UTC Authoring application: Microsoft Excel 15.0300

MD5: 18ceb91dd889d45b382fabe3c2be9289 SHA-1: 5b9b49fa2e8de5b0da39042e8b8bed79433099eb SHA-256: 46c635757927550c021a9953105fd0c3f5609722471c8a3cea5ca9291ac057c2

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1059.001 PowerShell T1204.002 T1566.001-Phishing: Spearphishing Attachment T1105 Ingress Tool Transfer

The VBA macro constructs a batch file named 'Oyigdnmrdwpwlkohs.bat' containing a reconstructed command: 'start /MIN PowerShell.exe -MIN /M C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -MIN /M' (via Prefix1 and Prefix3) followed by a Base64 encoded PowerShell script (via Prefix2). The Base64 payload decodes to a command that downloads and executes 'Rmhrgkdwiq.exe' from 'http://65.2.149.25/pef/Bipvy6/CSOIYQRONAGPERVB.exe' to the environment variable path and starts the same. The Shell() call executes the batch file to trigger the payload delivery.

Heuristics 2

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `1d8fce937b3eb5ae6883fcdff381ecb6c5514a43b0f719f9a471368bfbe53fb0`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2414 bytes
`vbaProject_00.bin` `9fa3f3a87e17978437ed37703e257a59dda2d2bcf84d6d4f4873a59180d5b1d7`	vba-project	OOXML VBA project: xl/vbaProject.bin	6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.