Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 7d0280aef581c9dc…

MALICIOUS

Office (OOXML) / .XLSM

635.1 KB Created: 2020-01-28 19:47:00 UTC Authoring application: Microsoft Excel 12.0000
MD5: 2a46b7ff70e61702878336c0bbb5c7f3 SHA-1: 81ba20b79fabc766f1cbdaa2b24f7ac08e7961bd SHA-256: 7d0280aef581c9dc1232615c7c3586e13dc9115862af18a0acf0fafd77c6a75f
170 Risk Score

Heuristics 6

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • External hyperlinks (4) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 4 external hyperlinks — clickable URLs are stored as external relationships. First target: https://go.microsoft.com/fwlink/?linkid=844732
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/exif/1.0/
    • https://go.microsoft.com/fwlink/?linkid=844732
    • https://go.microsoft.com/fwlink/?linkid=844745
    • https://go.microsoft.com/fwlink/?linkid=844729
    • https://go.microsoft.com/fwlink/?linkid=844739
    • https://go.microsoft.com/fwlink/?linkid=844749
    • https://go.microsoft.com/fwlink/?linkid=844744
    • http://go.microsoft.com/fwlink/?LinkId=846286
    • http://go.microsoft.com/fwlink/?LinkId=844969
    • https://go.microsoft.com/fwlink/?linkid=844725
    • https://go.microsoft.com/fwlink/?linkid=844730
    • https://go.microsoft.com/fwlink/?linkid=844735
    • https://go.microsoft.com/fwlink/?linkid=844751
    • https://go.microsoft.com/fwlink/?linkid=844752
    • https://go.microsoft.com/fwlink/?linkid=844750
    • https://go.microsoft.com/fwlink/?linkid=844731
    • https://go.microsoft.com/fwlink/?linkid=844726
    • https://go.microsoft.com/fwlink/?linkid=844742

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
71ec45a7214ff63121314b701fc853d2254519c5e9ea54be54d910ee510daa91		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 5795 bytes
vbaProject_00.bin
3ec472b97bfc749ed0a63c72f32b36ad56b3908d5edbc0c2015753f47331fe1a		 vba-project OOXML VBA project: xl/vbaProject.bin 9728 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.