Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 87b8c12b32af3a2f…

MALICIOUS

Office (OOXML) / .XLSM

30.1 KB Created: 2022-06-06 14:15:08 UTC Authoring application: 16.0300 First seen: 2022-06-07
MD5: c8cd88ef38e0c74a74e255df1cfb35ab SHA-1: 9bc909c696b97cb2b85bd60ecde0ce2c158d5be2 SHA-256: 87b8c12b32af3a2f0ffa4fbc4f8bc9c10789e5130ce73d02dfbfe1b6d9463619
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is an XLSM file containing VBA macros. The macros utilize the URLDownloadToFileA function to download a file from an embedded URL. The script reconstructs the download path as 'C:\Users\Public\198.vbs'. It also uses Shell() and CreateObject() which are common for executing downloaded payloads. The document body text is nonsensical and likely obfuscation.

Heuristics 4

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
aba2a2a5f2d8a917c531c7095cc16aea128426b94f1b94dee69828c65d535655		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2101 bytes
vbaProject_00.bin
187bb028675451f6690c5ba7a980e69b38816161b7188789138e747c5421d5bf		 vba-project OOXML VBA project: xl/vbaProject.bin 17408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.