Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 48dcf62db10eec0b…

MALICIOUS

Office (OOXML) / .XLSM

9.3 KB Created: 2021-10-08 10:35:53 UTC Authoring application: Microsoft Excel 16.0300
MD5: bd8236b1d33298e2b78150ff09dc486a SHA-1: f76c745316904f4982485a5fce2cb4a0be71ec38 SHA-256: 48dcf62db10eec0b681dd31a36f6480b2d45efe0ac91bf12efbc264507028ee8
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

The sample is an XLSM file containing VBA macros. A critical heuristic firing indicates the presence of a Shell() call within the VBA code. The script decodes a Base64 string which, when decoded, reveals a PowerShell command to download a file from 'http://84.252.122.203/acs/msn.exe' and save it as 'Xvbephjupc.exe' in the user's AppData directory, then execute it. This indicates the document's purpose is to act as a downloader for a second-stage payload.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
2c7fb4fe09268de45c227032054117deb8063d15e045a0d71c0f022e2c35946a		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2542 bytes
vbaProject_00.bin
46ac031811dea1f61f6f47898c2491e883adeeb9b7ecfbf117ca7195fb433c39		 vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.