Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 7ccf4375d2107ee4…

MALICIOUS

Office (OOXML) / .XLSM

88.1 KB Created: 2021-10-23 15:11:41 UTC Authoring application: Microsoft Excel 15.0300
MD5: d458026430256e3d3e62a82975972437 SHA-1: acf0ef56da88e3b122c6ca52d43313ffe0422cd7 SHA-256: 7ccf4375d2107ee472889897b85c4bd563cd093b628ba9c8318f17e76a65a710
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

The sample contains VBA macros that utilize the Shell() function to execute a PowerShell command. This command is designed to download a second-stage executable named 'SegA5b.exe' from 'http://ddl8.data.hh/get/246747/13107078/SegA5b.exe' into the user's APPDATA directory and then execute it. The script also attempts to save this command to a batch file named 'Vapxnniwpihzghdh.bat'.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
4979798a7322d9ff7a4ae4b0849b5d07d4201a64d5cff76c82ff7a92e3b8232a		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2449 bytes
vbaProject_00.bin
010a3530a61faccb4c71be6dc8d4055df48d1a4f736eb644d68775b8d2c3ccef		 vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.