Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 a35739159d8ec8a8…

MALICIOUS

Office (OOXML) / .XLSX

56.8 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-05-27
MD5: aa904f344c89b2ebf901a0a131641ba4 SHA-1: 07cda98e0352fe5a8e50bfcae691888f986b8c47 SHA-256: a35739159d8ec8a88d901e6f299abdf7050719a14e19bca9dd2cc1bc43fefbf8
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1140 Deobfuscate/Decode Files or Information

The VBA macro uses CreateObject to write a VBScript file named 'RqEfk.vbs' to the user's temporary directory, determined by the Environ() function. The script then attempts to execute this VBScript. This indicates a downloader or dropper functionality, aiming to execute a second-stage payload.

Heuristics 3

  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c513a543c77db032d855d3e696e56bf2b0914cbf6c4707e16f93bc15aa54525a		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1650 bytes
vbaProject_00.bin
40b21758ce44c2b4c41d147738c732d24a63dd8aca4058183333c75399e8f568		 vba-project OOXML VBA project: xl/vbaProject.bin 21504 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.