Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 4987b259e5ff095f…

MALICIOUS

Office (OOXML) / .XLSM

52.2 KB Created: 2022-01-04 14:07:30 UTC Authoring application: Microsoft Excel 15.0300
MD5: 517a311aff52327605631823207279e0 SHA-1: 0012962fdd83c6ca591d9912a2435942200e938a SHA-256: 4987b259e5ff095fdb679b905093b4f888a3d88b4a3c061e27ab7fa8f36b2632
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1059.005 Visual Basic

The sample is an XLSM file containing VBA macros. The Workbook_Activate subroutine triggers the execution of a batch file named 'Jetvltrbngkjaw.bat'. This batch file is constructed by concatenating strings to form a PowerShell command. The PowerShell command downloads an executable file from 'http://dl8.data.hu/get/356815/1314820/joge.exe' and executes it. The critical heuristic firing 'OLE_VBA_SHELL' confirms the use of the Shell() function to execute external commands.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
815e9d0519474e5c951a268c7ff2dc561c9f5791cca6747bb9a42e46f7d10709		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2361 bytes
vbaProject_00.bin
eba2907c2bba82032950e59d80f644a4afc4fd9a7e4f72612d1a793b523b17d8		 vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.