Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 62d56abd7c3905fd…

MALICIOUS

Office (OOXML)

70.3 KB Created: 2021-07-28 13:23:45 UTC Authoring application: Microsoft Excel 16.0300
MD5: 8870b3f8b6e1b0f667ba5cff47b3567b SHA-1: a6f8411532cb2e2d071c3f016a0ab9dc0adbf367 SHA-256: 62d56abd7c3905fd46cb53d1826d10ae663172c52a8bda148e6f7de64b3e7ac7
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1071.001 Web Protocols T1105 Ingress Tool Transfer

The sample contains VBA macros that utilize WScript.Shell and CreateObject to execute commands and download files. Specifically, the URLDownloadToFile function is used, indicating an intent to download and execute a second-stage payload. The presence of Shell() and WScript.Shell usage strongly suggests the execution of arbitrary code. The macro's functionality appears to be related to manipulating sheet visibility, but the critical heuristic firings point to a downloader or dropper.

Heuristics 7

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://github.com/florentbr/SeleniumBasic/releases/download/v2.0.9.0/SeleniumBasic-2.0.9.0.*
    • https://developer.microsoft.com/en-us/microsoft-edge/tools/webdriver/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
28f59fe31d20366f5669d47de65de32089b41d0a0aa492dbff397fb0cf09c8c9		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 14017 bytes
vbaProject_00.bin
d286516055552d9b3f5d8cdc6787a80dafee128fc24dc4fc17f086d2abc4e83e		 vba-project OOXML VBA project: xl/vbaProject.bin 68608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.