Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 a0dc2f247f51601b…

MALICIOUS

Office (OOXML) / .XLSM

97.3 KB Created: 2020-06-11 21:30:34 UTC Authoring application: Microsoft Excel 14.0300
MD5: e5c9911837c78a94dc7ccdc9c4814d2a SHA-1: daff0608b2758b6cb10e68b0d1f2f25da0e136dd SHA-256: a0dc2f247f51601b44404caa288f98c8cb081a7b0f4cdfda53607cd783294373
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218.011 System Binary Proxy Execution: Rundll32 T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The sample is an XLSM file containing Excel 4.0 macros, which are known to be used for malicious purposes. The macros appear to be designed to download an executable from 'https://ternerdrivew.at/3/wwf.exe' and save it to 'C:\tzvILZu\wGQLoEW\WTNfczV.exe'. The script also attempts to create a directory 'C:\tzvILZu\wGQLoEW' and execute the downloaded file using system utilities like 'regsvr32.exe' or 'rundll32.exe'. The presence of hidden sheets further supports the malicious intent.

Heuristics 4

  • Excel 4.0 macro sheet (1 sheet(s)) high OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 23 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ternerdrivew.at/3/wwf.exe

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
eb48cbc3a1862ea285bdcfd2032e24d21939a80eff14b3c93a07aebf1975259f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 57308 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.