Office (OOXML) / .XLSM malware analysis — malicious · 6d7a3c94029eae1f

MALICIOUS

Office (OOXML) / .XLSM

22.6 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-04-27

MD5: 813ea913d6a98ab64b753253f3c0a636 SHA-1: b05b9497ffeaebc75ec53a10e8be47ae76310b66 SHA-256: 6d7a3c94029eae1f0906330a6c9773c9e6fcf2262b0d62dc51df07e01462c42f

210 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a macro-enabled Excel file (.XLSM) that contains a Workbook_Open macro. This macro executes a shell command to launch 'mshta.exe' with a URL pointing to a JavaScript file. The JavaScript file is likely responsible for downloading and executing a second-stage payload. The presence of the Shell() call and the execution of external scripts indicate a malicious intent to download and run further malicious code.

Heuristics 7

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 2 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://bitbucket.org/!api/2.0/snippets/rikimartinplace/Kp4pKb/187e154a8ee9476460cdd854f62754084839042e/files/gibsonfinal

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `370c6490cf4fc7c4477b1e342f44606a26acc94c6b700d350be019aeacb2dbfb`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2592 bytes
`vbaProject_00.bin` `9a2907d8b86573f357c5e020e6376710e0d50cead6e7c88f6b1c829affea2bc2`	vba-project	OOXML VBA project: xl/vbaProject.bin	33280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.