Office (OOXML) / .XLSX malware analysis — malicious · 84636c289595b15e

MALICIOUS

Office (OOXML) / .XLSX

58.3 KB Created: 2020-06-03 10:17:35 UTC Authoring application: 16.0300

MD5: 41b9618d159eaf5e24d9e07ef105d7ce SHA-1: c5b8da053c96a6e4e904846d70a35c93a97db7dd SHA-256: 84636c289595b15e4a7a30eb0c4d2270cbad1ac475ce22517cc941a2961b7418

240 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is an Office document containing VBA macros that leverage WScript.Shell to execute arbitrary code. The macro appears to construct a string and then use it to execute a command, likely to download and run a second-stage payload. ClamAV detection further confirms its malicious nature as a dropper.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
ClamAV: Doc.Dropper.Agent-7998254-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-7998254-0
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `756e4bff1a433fa7e03cedc6413dedbbe4735ccc7cff21930713bbfef07689c5`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1071 bytes
`vbaProject_00.bin` `87ba7a0f00ad5d52f839eefe83e0112c5e60e7c2c4a60cc74592239fc975c6a2`	vba-project	OOXML VBA project: xl/vbaProject.bin	15360 bytes
`emf_00.emf` `76f287b1e3251b7e0e5ba27bfb05b35831150cc665de00f9fd2d807e2d2a028d`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	1976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.