Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 898697482a6bb0d3…

MALICIOUS

Office (OOXML) / .XLSM

116.6 KB Created: 2021-08-19 14:03:52 UTC Authoring application: Microsoft Excel 14.0300
MD5: 5ceae1b9bce1cd1b10cbd81a3d0b1992 SHA-1: 160c6067627a148d484e7619c837324012e473fe SHA-256: 898697482a6bb0d3b2d0b9dd85d348b676f3dea220367fb63668c8d55a741eb5
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1059.001 PowerShell T1105 Ingress Tool Transfer

The sample contains VBA macros that reconstruct a PowerShell command using StrReverse on ' cne- 1 niw- exe.llehsrewop\0.1v\llehSrewoPswodniW\23metsyS\swodniW\:C'. The script further utilizes a base64-encoded PowerShell command that, when decoded, sets a variable for a filename 'Cfgkyvaprsvdocptglspi.exe' and downloads a second-stage payload from 'http://65.2.149.25/pef/B/ipv6/stoppp.exe' and executes it from the same directory. The use of Shell() is confirmed by the heuristic firing.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1b9be642eabc4a8376b32f00f6ed2823bf5e7f19d379adf0867b8dda111289e8		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2528 bytes
vbaProject_00.bin
34291a418af3e9fcc9b596b9fc722dba447f10d22d818bb66df87fae7da4fb30		 vba-project OOXML VBA project: xl/vbaProject.bin 18432 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.