Office (OOXML) malware analysis — malicious · 499cbd245d9f9f72

MALICIOUS

Office (OOXML)

3.9 KB First seen: 2021-06-20

MD5: ff1d069fee7c39a68cc165c1d4dac3f2 SHA-1: c2365c5bb7a16e660d5009d077e292754664c529 SHA-256: 499cbd245d9f9f727abd74633f1c0cccfcb9b2f68a6250079114c8e8bb983861

240 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an Office document containing a Workbook_Open VBA macro. This macro uses the Shell() function to execute 'calc.exe', indicating a dropper or initial execution stage. The ClamAV detection 'Xls.Dropper.EPPlus-9802867-2' further supports its role as a malicious dropper.

Heuristics 4

ClamAV: Xls.Dropper.EPPlus-9802867-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.EPPlus-9802867-2
VBA project inside OOXML medium 2 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	852 bytes
SHA-256: `81f33300654310c197dae8afeca1601921264cd0c6899cee5ee40aa84ed99c28`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() Dim Program As String Dim TaskID As Double On Error Resume Next Program = "calc.exe" TaskID = Shell(Program, 1) If Err <> 0 Then MsgBox "Can't start " & Program End If End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = True
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	4608 bytes
SHA-256: `44402c955071ab4b6f0d3548363fba9d579e2c1b675e54b1ee2e39aa9cfa143b`
Detection ClamAV: Xls.Dropper.EPPlus-9802867-2 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.