Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 50e1203d5afefeed…

MALICIOUS

Office (OOXML) / .XLSM

45.2 KB Created: 2022-07-20 09:00:31 UTC Authoring application: 16.0300 First seen: 2022-07-20
MD5: 9737703391db4a58cead1e1525719cb0 SHA-1: 8b4158d527abc6fb89e8112bbccde7207ae0db2d SHA-256: 50e1203d5afefeed67f616b84459c55d8b38aafcacab7edab81f2055d21aefc1
168 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The critical heuristic 'VBA downloads and writes a file to disk' indicates the macro's intent to fetch and execute a payload. The script attempts to establish persistence by writing to the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy. The obfuscated nature of the script prevents a more detailed analysis of the downloaded payload.

Heuristics 5

  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
46be2829e77a3628e528d8e2dcee67271fedc0cdadddd9e1d084a3e17e42a617		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3728 bytes
vbaProject_00.bin
5f7e04a3a6b0cbf656c54ab475b76d7a7b585e213edf05510e84b06457973a00		 vba-project OOXML VBA project: xl/vbaProject.bin 31232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.