Office (OOXML) / .XLSM malware analysis — malicious · 7877200f3f382801

MALICIOUS

Office (OOXML) / .XLSM

1.25 MB Created: 2021-02-06 23:35:33 UTC Authoring application: Microsoft Excel 16.0300

MD5: 804199ef2e1f55277fbd843cb4c86479 SHA-1: 4285afd68c743a834ec90270cca08ea5db10bfa7 SHA-256: 7877200f3f382801e8f65f786bd6d0fb44da6e8c55d52876cdb5a513ecd56829

450 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The XLSM file contains a Workbook_Open macro that uses WScript.Shell to execute a downloaded payload. The macro decodes a Base64 string which is written to a file named 'WindowsDefender.exe' and then executed. The URL for downloading the payload is https://bitbucket.org/artanoGuima/onemore/downloads/payloadEmail.exe. This indicates a downloader or dropper functionality.

Heuristics 11

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL

VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS

Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: https://www.linkedin.com/in/laurasilvae4890/
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://bitbucket.org/artanoGuima/onemore/downloads/payloadEmail.exe
- https://www.linkedin.com/in/laurasilvae4890/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `dc41d98d668d594a984ba83d8cd7bf30b3dee4fc04602b93852432c6d2311ffb`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	3142 bytes
`vbaProject_00.bin` `6e9738e39618b575a5724469274badf2521a15dd2ce81665ccf5495c4d549ecc`	vba-project	OOXML VBA project: xl/vbaProject.bin	24576 bytes
Detection ClamAV: Doc.Dropper.Agent-6412232-1 Obfuscation or payload: unlikely
`emf_00.emf` `0267043ae8226cfe96b45529d3a701b5936758f28b966c55c3bbe76c4bf606f2`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	1108 bytes
`emf_01.emf` `369338825a91500392b48326331c6451b0494d846e45e388aea87d357464b35a`	ooxml-emf	OOXML EMF part: xl/media/image2.emf	1108 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.