Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 4acb558de107f0cd…

MALICIOUS

Office (OOXML) / .XLSM

88.1 KB Created: 2021-10-23 15:11:41 UTC Authoring application: Microsoft Excel 15.0300
MD5: 8ed132e5a0ebdfb918549110060b639c SHA-1: 950cbd5d71e7b7cea08e66d5befeee767f66f802 SHA-256: 4acb558de107f0cd6c32e53de98d4a2cd91ff8d3a8f93caa73188b39bb66c270
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The sample is an XLSM file containing VBA macros. A critical heuristic firing indicates the presence of a Shell() call within the VBA code. The extracted VBA script constructs a PowerShell command that downloads a second-stage executable named 'Jogerb.exe' from 'http://ddl8.data.hu/get/355185/13087540/Jogerb.exe' and then executes it. The script also saves this command to a batch file named 'Sgjeutyk.bat' before attempting to execute it.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a138fdecee30f0e92de70740606df5d3c08cbdddc4d44092775637099bd5745b		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2431 bytes
vbaProject_00.bin
335c2f4220bb62b0da49cd04f0b70632b412bc056a85ce56eae14b3fa612560c		 vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.