Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 9de2de807f31d6a7…

MALICIOUS

Office (OOXML) / .XLSM

52.2 KB Created: 2022-01-04 14:07:30 UTC Authoring application: Microsoft Excel 15.0300
MD5: 93c4fba389340842365e83dda45cc329 SHA-1: 1a3e0875dcb5d86efc2e85de8453f6b68a50e737 SHA-256: 9de2de807f31d6a7772b2aa83bbb8e22cc193e43d4bcb5e1d42ef7063ef0a917
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The sample contains VBA macros that, when executed, construct and run a batch file. This batch file then executes a PowerShell command to download a file from 'http://ddl7.data.hu/get/342936/1316205/ogq.exe' and save it as '%env:APPDATA%\ProcName'. Finally, it starts the downloaded executable. The Shell() call in VBA and the subsequent PowerShell execution indicate a downloader pattern.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
908e50d3aaf6b6cab9a1a98693b9b8d515d2797e549c4cfc64daeb85ca46fd42		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2337 bytes
vbaProject_00.bin
fd7859aeee473111579c5b3257f9340ca8369bda4b4cd4e6f462e35224c021c0		 vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.