Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 9d2c95265df8e489…

MALICIOUS

Office (OOXML) / .XLSM

45.3 KB Created: 2022-04-27 07:05:41 UTC Authoring application: 16.0300 First seen: 2022-04-28
MD5: f174e9cf33397d9f7f58daf082315fe1 SHA-1: 35abb9a8ed25f2a194b81ecbf164fd293d4a3b6a SHA-256: 9d2c95265df8e4891ee37542e84b406fa9bfcb4386c6ea025b00d686092798ff
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an XLSM file containing VBA macros. A critical heuristic firing indicates the use of URLDownloadToFile, a common technique for downloading and executing second-stage payloads. The VBA script itself contains API calls related to process creation and manipulation, further supporting the payload execution intent. The document body contains seemingly random strings, likely obfuscation, and does not provide a clear lure.

Heuristics 3

  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f1df69ead6e0eea07b3bc724cbfa6442480f2ec73b8b09f594a1806b409a4295		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 10920 bytes
vbaProject_00.bin
55128764721849240cea88f2261a9505388bbb21fb4e06b37f83aea2d260576f		 vba-project OOXML VBA project: xl/vbaProject.bin 38912 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.