Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 8b575b5ff9615c2c…

MALICIOUS

Office (OOXML) / .XLSM

26.1 KB Created: 2022-05-30 14:51:42 UTC Authoring application: 16.0300 First seen: 2022-05-31
MD5: 9254bcde5cd104ec4ed03abc069c17bb SHA-1: 44a8295591fc2c7dc50412a8926284b969ea0ea1 SHA-256: 8b575b5ff9615c2c171a9b88651601e094f7392da89e7bf946d1ed5626d4975b
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1059.003 Windows Command Shell

The XLSM file contains VBA macros that utilize the URLDownloadToFileA function to download a payload. The script reconstructs the download path as 'C:\Users\Public\1.dll'. It also attempts to execute a file named 'calc.exe' with the argument 'PluginInit', likely to launch the downloaded payload. The obfuscated document body text does not provide further context on the lure.

Heuristics 4

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d4088b124a6947d3d9b19804c3dcbd055b4ba4dc9ef67e824d075339c67864fe		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1952 bytes
vbaProject_00.bin
803485d3cf2891356d04dae76df0b8f71e773aafafe763754da133800978f37c		 vba-project OOXML VBA project: xl/vbaProject.bin 17408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.