Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 802c0f76e89dc4f2…

MALICIOUS

Office (OOXML) / .XLSM

42.4 KB Created: 2020-01-28 19:47:00 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-08-20
MD5: 5f8f3fa6a4e85a8a02df2d7518c4ca36 SHA-1: a496f6734e90f37896d356fa68f96b1398441b6d SHA-256: 802c0f76e89dc4f2d3fe1b2ce0c96487b2b53331b82cf6340dc3cc499490f660
370 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1105 Ingress Tool Transfer T1059.003 Windows Command Shell

The sample is an XLSM file containing a Workbook_Open macro that executes a command. This command uses certutil.exe to download a file from http://winmanindustries.com/wp-includes/Dxvbj.exe and save it as Lexwcwt.exe.exe, and then executes the downloaded file. The document body attempts to trick the user into enabling content by presenting itself as an Excel tutorial.

Heuristics 10

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
  • ClamAV: Xls.Dropper.EPPlus-9802867-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.EPPlus-9802867-2
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • External hyperlinks (3) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 3 external hyperlinks — clickable URLs are stored as external relationships. First target: http://go.microsoft.com/fwlink/?LinkId=846285
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://winmanindustries.com/wp-includes/Dxvbj.exe
    • http://go.microsoft.com/fwlink/?LinkId=846285
    • http://go.microsoft.com/fwlink/?LinkId=844969

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a9a8c5458a1f489a25cee2ad0188a789288c18a968a614b25f8be2f86a44d745		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1402 bytes
vbaProject_00.bin
e1cf4b284d6aaaaff083bf71d247dec7b077d341cf015fcfa9f8a22361f83d74		 vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes
Detection
ClamAV: Xls.Dropper.EPPlus-9802867-2
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.