Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 9c153adf77d3aafa…

MALICIOUS

Office (OOXML) / .XLSX

67.9 KB Created: 2012-10-19 22:33:57 UTC Authoring application: Microsoft Excel 12.0000
MD5: 75fb211a9b1555d2ff1725bd2436def5 SHA-1: 875930cc449d3c5c08119bad49750955fe51dc41 SHA-256: 9c153adf77d3aafa19aa1d1389803a16e0fca51a9b3caa5ca3c8353277fd7483
208 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1218 Signed Binary Proxy Execution T1059 Command and Scripting Interpreter

The sample is an Excel file containing VBA macros, specifically a Workbook_Open macro designed to execute automatically. The script utilizes CreateObject to interact with the file system and schedule tasks, creating a file named 'qDialogErrorChecking.xsl' in the ALLUSERSPROFILE directory. This behavior strongly suggests the intent to download and execute a second-stage payload, establishing a foothold on the system.

Heuristics 6

  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7842bc9b54ec768bae8f776e556e2ce9483ed97783d2baa23e1885abebdbb00b		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3464 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
a720a88a0bff9e52e04dce4b6dca2d9555b90b1d1e18f5129922e30c79e03891		 vba-project OOXML VBA project: xl/vbaProject.bin 16896 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.