Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 9fb275cabb54bc69…

MALICIOUS

Office (OOXML) / .XLSM

51.1 KB Created: 2017-09-27 13:10:41 UTC Authoring application: Microsoft Excel 16.0300
MD5: f77ade3f87e59d6a6c6d97c7e84ab944 SHA-1: ac1403a9c425a7bf688c46b69e203da75fc90548 SHA-256: 9fb275cabb54bc69196506e9716bffee37f12d5c530aeaae0f033a43ce662445
168 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

This XLSM file contains VBA macros that utilize Shell() and CreateObject() functions, indicating an attempt to execute arbitrary code. The presence of these functions strongly suggests the macro is designed to download and execute a secondary payload. While no specific URLs were extracted, the heuristic firings are highly indicative of a downloader or droppper malware. The document body contains prompts for bank details and company information, suggesting a phishing or business compromise lure.

Heuristics 6

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.openxmlformats.org/drawingml/2006/spreadsheetDrawing
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/main

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
9043f5761fb50aa5de23d8e642f88b4e99828a783017a0a46d83a173bf569253		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 13998 bytes
vbaProject_00.bin
506e529953edc5b83e1947eab5ef9d64848f758d86893163e2a0aee90b02a002		 vba-project OOXML VBA project: xl/vbaProject.bin 57856 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.