Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 96eddb8bf62b9756…

MALICIOUS

Office (OOXML) / .XLSM

22.7 KB Created: 2020-01-28 19:47:00 UTC Authoring application: Microsoft Excel 16.0300
MD5: 39a6ca63cbd3411d4a8b847723630412 SHA-1: 719f9d8b551c2679053ff54196523a3be0d92571 SHA-256: 96eddb8bf62b9756bea8f8d7892a65c6adb8cbfa3b03c2d06c76835e90596808
100 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The document contains a lure to enable macros, which is a common technique for malware delivery. The VBA script, when executed, constructs and runs a batch file named 'egatezwmjaujvmbnpxvjbny.bat'. This batch file then uses PowerShell to download a second-stage payload ('images.exe') from 'http://20.51.217.113/tool/images.exe' and saves it to 'C:\APTDATA\ProcNname\image.exe', subsequently executing it. The script also attempts to establish persistence by writing to the registry, though the exact key is obfuscated.

Heuristics 3

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ee3bb8e439bb535d494c2ab91d17875a7162dc6cdfe3be131e9fc2eb8eebf11e		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2324 bytes
vbaProject_00.bin
3b04a73313ab82f574f3669d15a88e846d94df082a56140ce26d3a14c408e6d8		 vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.