Office (OOXML) / .XLSM malware analysis — malicious · a3830f8771bcfd33

MALICIOUS

Office (OOXML) / .XLSM

103.0 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300

MD5: 1da8ddb4af50803adc6055014ba8377a SHA-1: 679ea998a827b1b445b690ba61259527d40633f9 SHA-256: a3830f8771bcfd33928271415d4b6a1d6853bf5f1a62a57e8ae38bf3dc3c90bf

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.005 Visual Basic T1218.011 Signed Binary Proxy Execution: Rundll32

This XLSM document contains VBA macros that leverage WMI to launch a PowerShell process. The PowerShell script, reconstructed from obfuscated hexadecimal characters, downloads a VBScript payload from 'http://universalpaymentport.co/jun/doc.vbs'. This VBScript is then executed, indicating a downloader pattern designed to fetch and run further malicious content.

Heuristics 3

VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `27e4cea9433f4f2f7b5f322dcf6c9f6e3f625dbf6dc4d407c1677a899431787b`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1972 bytes
`vbaProject_00.bin` `db55faf0e472c29ea700a0c506105a5aca8c84d05d93eda5fbcfe1c157bf9476`	vba-project	OOXML VBA project: xl/vbaProject.bin	16384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.