Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 95b3882e2ba6d5f3…

MALICIOUS

Office (OOXML) / .XLSM

102.9 KB Created: 2021-08-19 14:03:52 UTC Authoring application: Microsoft Excel 15.0300
MD5: cc1439b54aa4b3db324fb921b94870ef SHA-1: 33a4c8af524b8e37f290000c654d897b440fd86c SHA-256: 95b3882e2ba6d5f35be8c35aa3d047e41ec110eb7f8aa69af7652f1cc29a6fb7
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The critical OLE_VBA_SHELL heuristic indicates the presence of a Shell() call within the VBA macros. The extracted VBA script contains obfuscated code that, when deobfuscated, reveals a PowerShell command. This command is designed to download a second-stage executable ('CSOIQYRONAEP1.exe') from a specific URL ('http://18.192.215.191/tea/z/CSOIQYRONAEP1.exe') and execute it. The script also attempts to save this payload as 'Vpxldboqapmd.bat' and execute it using 'powershell.exe -M MIN start '.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f5dc98dc0c8aa4f3e3c05284c13d1278c3343f358d1d3c458601bf4a413c77d7		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2469 bytes
vbaProject_00.bin
98744bdde27d281024a310f4b4e4d5e9773e36d566f2edfc5e3dc368e68810d3		 vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.