Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 a0d6944b705fc3ed…

MALICIOUS

Office (OOXML) / .XLSM

102.8 KB Created: 2021-08-19 14:03:52 UTC Authoring application: Microsoft Excel 15.0300
MD5: e8474eb64789eee152d472b770d302d7 SHA-1: c586a8c7d952e9ba7bec7576620b583fe0a00549 SHA-256: a0d6944b705fc3eda19d5a990ab7ec34d64b2d275366603c434b77fbd0526ba0
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell

The sample is an XLSM file containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' indicates the presence of a Shell() call. The VBA script reconstructs a PowerShell command that downloads a file from 'http://3.69.23.46/chrome/ctr-cry.exe' and saves it as 'Ebuayabpfg.exe' in the user's AppData directory, then executes it. The script also creates a batch file named 'Dqjaoqc.bat' which contains this command and executes it.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
5b662449e7edb9b60fa41c11c69c416df75ef9439383f6f7fe0e2fa5839ada8b		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2408 bytes
vbaProject_00.bin
311dcd76515940879c6ed1c4efe0f7152e820ec454a61cc4f53dc8a438484fd9		 vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.