Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 545c2540511b95ac…

MALICIOUS

Office (OOXML) / .XLSX

145.2 KB Created: 2020-04-16 10:27:46 UTC Authoring application: Microsoft Excel 15.0300
MD5: b2c2cf4e88bf2d87729524860b6d9cb7 SHA-1: 51e1c76cdd4c4daa8551b7d2c593a4489862f2ed SHA-256: 545c2540511b95ace05b79b393530c4d1fe7929108ae23bc1d607b4e2c813ebb
320 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

This XLSX file contains a Workbook_Open macro, which is a common auto-execution technique. The macro utilizes WScript.Shell and the Shell() function, indicating an attempt to execute arbitrary commands. The VBA code also employs character shifting and decoding to obfuscate the command, further suggesting malicious intent. The primary goal appears to be the execution of a second-stage payload via the obfuscated shell command.

Heuristics 7

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • VBA character-shift decoded Shell command critical OLE_VBA_ASC_CHR_SHIFT_SHELL
    VBA auto-exec macro stores an encoded command string, decodes it with a Mid/Asc/Chr character-shift loop, and passes the recovered text to Shell. This is a high-confidence command stager.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
70fb4c5021732a82d941079da3d3f84045714b3bdb35272a71e03e618d80070b		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2164 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
73febb4a6720c2a0abd0939e5df7b278ecbc0cda883b408afd0acce235d5be2c		 vba-project OOXML VBA project: xl/vbaProject.bin 14848 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.