Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 578c01870c999238…

MALICIOUS

Office (OOXML) / .XLSM

297.8 KB Created: 2021-04-19 14:37:44 UTC Authoring application: Microsoft Excel 15.0300
MD5: 85894dab57947ca3d40417e90c38233c SHA-1: 91eb924305eaaddfcec146b4acce2f2fad43e9bd SHA-256: 578c01870c99923807b8207bdbfa93a31ee6891807a441756f56290a750dbe3d
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is an XLSM file containing a Workbook_Open macro, indicating it's designed to execute code upon opening. The macro uses CreateObject and Environ calls, suggesting it attempts to interact with the system environment and potentially download or execute further payloads. The obfuscated document body text, combined with the presence of VBA macros, points towards a malicious document designed to trick the user into enabling macro execution for a secondary download or execution stage.

Heuristics 6

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://babashofi.com/wp-content/themes/twentytwentyone/template-parts/content/gmWSOnVh.php
    • https://gamerspace.in/apps/default/notactive/templates/notactive/NFhoJvZ3AFDIvIz.php
    • https://nuevo.redpresidencialdetransporte.com/porto/wp-includes/SimplePie/XML/Declaration/9yhCFVef2im0.php
    • https://hospitalityservicesinasia.com/wp-content/plugins/meta-box/js/jqueryui/cIE3gaI2XZAJvN5.php
    • https://online-ce.org/moodle/favourites/classes/local/entity/XacKtNeOe.php
    • https://mississippiteenagers.net/themes/dolphin/images/icons/emoticons/tdmmb2QVDADetz.php
    • https://dramawuxia.xyz/wp-includes/sodium_compat/src/Core/Base64/390DRtAhn.php
    • https://mesura.net/wp-content/cache/object/40e/8b0/1QCcc2ZUmrF0NlA.php

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
135f1cf557303c52cea661d511e05a517d1889daa164e31ccacc6d20fdc642f5		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 82042 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 24 Chr/ChrW string-construction calls. Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
eceb0288f43e41e83160be12dbd089e7fab0131556a6675236fc5a5a6a6e8c0e		 vba-project OOXML VBA project: xl/vbaProject.bin 247808 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.