Office (OOXML) / .XLSM malware analysis — malicious · 91672c7d8c217941

MALICIOUS

Office (OOXML) / .XLSM

59.4 KB Created: 2022-08-09 08:57:53 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-08-09

MD5: 1139f6a99ed8fa8a41007bfb51ca4969 SHA-1: 2900f31ee404066291faa0905622b86c6230c661 SHA-256: 91672c7d8c2179413a3aa5b8c081a3f81878b4a27a1aaf9b07579f31ad70355a

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The critical heuristic 'OLE_VBA_HTTP_DROP_EXEC' indicates that the VBA macros within this OOXML document are designed to download a file from the internet using the .ResponseBody property and then save it to disk using .SaveToFile. The presence of VBA macros and the specific heuristic firing strongly suggest a downloader or droppper functionality.

Heuristics 4

VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `ce61a9a743bb53603d10048c06877c51ef47ae5560a4ce0cda720b215f36aca4`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	3836 bytes
`vbaProject_00.bin` `44403fe572c23ca7c29743e21897a968f7cb26a1bdeec0fc71d25e5b07e3aa6f`	vba-project	OOXML VBA project: xl/vbaProject.bin	25088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.