Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 7a0af8308b9f34d8…

MALICIOUS

Office (OOXML) / .XLSX

62.3 KB Created: 2020-06-01 11:14:29 UTC Authoring application: 16.0300
MD5: 6f9784fe699d93d5b39ca0f45e8d2c9e SHA-1: 1d75a29f7d015319612911bd08f869be8092d724 SHA-256: 7a0af8308b9f34d8bceced23b99bca01a60befb8750bd987a91ccf7dc7721357
320 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The file is an OOXML document containing VBA macros. Heuristics indicate the use of Shell() and CreateObject() via WScript.Shell, suggesting the execution of external commands. ClamAV signatures identify it as 'Xls.Dropper.Agent-8009214-0', a known dropper. The primary function appears to be downloading and executing a second-stage payload.

Heuristics 7

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • ClamAV: Xls.Dropper.Agent-8009214-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-8009214-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ed4329b1ae54191dc9baa1cf8d935fedcd6e6679d46f49314d981d500365eeab		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1086 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
vbaProject_00.bin
63263c3b7aa5112510b3dbe9fd8a9d2cdd447d80067ba7ac49d6b183c259442d		 vba-project OOXML VBA project: xl/vbaProject.bin 10752 bytes
Detection
ClamAV: Xls.Dropper.Agent-8009214-0
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
emf_00.emf
4609916d8bdbc79e29612828ccd046cae14d7ddc0bfea0db84520ad5f180a00d		 ooxml-emf OOXML EMF part: xl/media/image1.emf 1408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.