Office (OOXML) / .XLSM malware analysis — malicious · 7139ded23a4242b4

MALICIOUS

Office (OOXML) / .XLSM

219.9 KB Created: 2021-05-07 12:30:52 UTC Authoring application: Microsoft Excel 15.0300

MD5: c1d1e95f5b0220672f6ec435cd63ab71 SHA-1: 5548784998d197d64c1837aab77a67fd7ba68978 SHA-256: 7139ded23a4242b4c8e4b71428384d2b82c4f93b0dba2ab244b0bce282c1707e

310 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is an XLSM file containing a Workbook_Open VBA macro. This macro utilizes CreateObject to instantiate Wscript.Shell and MSXML2.XMLHTTP objects, enabling it to download a file from one of the embedded URLs and execute it using rundll32.exe. The ClamAV detection name 'Xls.Downloader.TrendMicroDridex0521-9860965-0' strongly suggests a downloader functionality, likely for the Dridex banking trojan.

Heuristics 9

VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
ClamAV: Xls.Downloader.TrendMicroDridex0521-9860965-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.TrendMicroDridex0521-9860965-0
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://2nub.es/lib/js/prettyphoto/images/prettyPhoto/DDndV1TI5lvC3M7.php
- https://ramdevagroindustries.com/images/blog/WZVRzcoUaXZ.php
- https://buyjointsonline.com/wp-content/plugins/wpforms-lite/templates/emails/pM44c3eiAK6.php
- https://co-deporte.com/wp-content/plugins/revslider/includes/InstagramScraper/DR34CZJP1juKE.php
- https://lerc.gov.lr/231electricity/editor/tinymce/themes/modern/Z9grXigF03Qy.php
- https://ncc-services.com/ncc_hr/js/tinymce/plugins/advlist/Qw3HExfj.php
- https://ctfiladelfia.projetosestruturais.com/LR7u0G1zGjUJ.php
- https://malsign.com/ICkPFoHIaO.php
- https://sezencin.com/ozzzpanel/js/mylibs/forms/uploader/864sv4ph.php

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `2816db477b29c4ed7117d1614588d02f09494ede22b40d938f7b24a72ae9d3d6`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	42612 bytes
`vbaProject_00.bin` `729767c03a278276560378a84d8dc057eb9f2fc475f10b1ac4577520e45f006e`	vba-project	OOXML VBA project: xl/vbaProject.bin	266240 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.