Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 9698437ebee17348…

MALICIOUS

Office (OOXML) / .XLSX

59.6 KB Created: 2020-05-21 07:15:11 UTC Authoring application: 16.0300
MD5: 4f11d0e0894c4d1ca9bc26cedd4547a5 SHA-1: 1c8c75936f9def42e34d7d28f208696d0d40ef0b SHA-256: 9698437ebee173480497cf5c1a1f3d60a6a6eb0ed51eeac1b90929e149bce2d0
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1218 Signed Binary Proxy Execution

The OOXML file contains VBA macros that utilize WScript.Shell and CreateObject functions. These are commonly used to execute arbitrary commands, such as downloading and running additional malicious payloads. The presence of these functions strongly suggests a macro-based malware delivery mechanism. No specific family could be identified from the available heuristics.

Heuristics 5

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
3e98f3902d5b22e92b16cc8539f60ea11f4aecc48f322c4b3d55959378b2e969		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1279 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
vbaProject_00.bin
3df871db44c854ab1a48f361673354b5c351fcdcda6fdee92f45eb991262de99		 vba-project OOXML VBA project: xl/vbaProject.bin 16896 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
emf_00.emf
765f240ce2883423fddbb691ab59a3309b07aa9bfc9b6208f8852fd44fca952f		 ooxml-emf OOXML EMF part: xl/media/image1.emf 2784 bytes
emf_01.emf
1ba28807701f1477cac770c3cc12a7164ebb0db67f3a65a37e43271a037a86bd		 ooxml-emf OOXML EMF part: xl/media/image2.emf 1408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.