Office (OOXML) / .XLSM malware analysis — malicious · a3f82d7fb9464287

MALICIOUS

Office (OOXML) / .XLSM

29.1 KB Created: 2022-07-14 08:32:57 UTC Authoring application: 16.0300 First seen: 2022-07-14

MD5: e9e2c15586efff02a2c06c2f8ad27cc2 SHA-1: a17f5b867a08dfc2d20b5f5d9e2786bbcf14ab20 SHA-256: a3f82d7fb9464287689cff1f66d8d819e740cd6b1339bc575e2a8838fcc7ce12

168 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

This XLSM file contains VBA macros that utilize CreateObject and GetObject calls. A critical heuristic indicates that the VBA code downloads a file via HTTP and saves it to disk, suggesting it acts as a downloader for a second-stage payload. The obfuscated string 'aEX2MT.01MM.LT6OGSLXHP.' likely resolves to 'MSXML2.XMLHTTP' and '5hDBtaxjO.rmIADSe' likely resolves to 'ADODB.Stream', which are used to fetch and save the payload.

Heuristics 5

VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `ecbbb075966934a609d1357ba8da510c453ee17120e035e7ce95fe578db7a4f2`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	3896 bytes
`vbaProject_00.bin` `7c69eb5d126ff5e1f1ac672a4a2432e1fa59dd0439655e62cedb50cd8267212c`	vba-project	OOXML VBA project: xl/vbaProject.bin	22528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.