Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 6543e374acbfe9a3…

MALICIOUS

Office (OOXML) / .XLSX

12.8 KB Created: 2021-02-25 21:49:42 UTC Authoring application: Microsoft Excel 16.0300
MD5: 4a0c41bbcf0808d99b6ac38bee9387fa SHA-1: f23168b828ce2080432793ca27443ae71c8fa466 SHA-256: 6543e374acbfe9a3bcfa9a76cb743aaea934c1a1fce7c419b42c27b3fbb1f880
322 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The VBA macro contains Auto_Open and Workbook_Open functions that execute a command using cmd.exe. This command utilizes certutil to download a JavaScript file from https://docs.healthmade.org//tc.js, saves it as tc.js in the user's Documents folder, executes it using cscript, and then deletes the JavaScript file. This indicates the macro's purpose is to download and execute a second-stage payload.

Heuristics 9

  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://docs.healthmade.org//tc.js

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
2f1ea862e1846b7619b8c72351483adb3fb744aa2786a58903d77384ea8557e1		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1186 bytes
vbaProject_00.bin
9912f1a0b0b9557ef29387b1511307f4cbd52004e684a2c6527102d4dd9170e2		 vba-project OOXML VBA project: xl/vbaProject.bin 13824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.