Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 5821ff4e30829076…

MALICIOUS

Office (OOXML)

70.7 KB Created: 2021-07-28 13:23:45 UTC Authoring application: Microsoft Excel 16.0300
MD5: e1f6198f7dc29bd819ca5bcc7b514ba8 SHA-1: d18fd5e0dd7922071b43ce75c246bb450c20da14 SHA-256: 5821ff4e3082907600b3f3727f94123485b4ff53c141e75c59160247a745959f
370 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The file is an Office document containing VBA macros that leverage WScript.Shell and CreateObject to execute commands. Specifically, the macros utilize URLDownloadToFile to download a second-stage payload from the provided URL, indicating a dropper or downloader functionality. The ClamAV detection 'Doc.Dropper.Agent-6412232-1' further supports this assessment.

Heuristics 9

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://github.com/florentbr/SeleniumBasic/releases/download/v2.0.9.0/SeleniumBasic-2.0.9.0.exe
    • https://developer.microsoft.com/en-us/microsoft-edge/tools/webdriver/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
449be1fb486f58bca8b592bb6b4c804d6d371e4ca32d0b7b8367b7e7eccc5c0f		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 15536 bytes
vbaProject_00.bin
ad1b50b2e6662bbccdddb6d2681d4c7a3247a666bf336b023affa8eb47b6a9e2		 vba-project OOXML VBA project: xl/vbaProject.bin 69120 bytes
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.