Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 a566767c8788be97…

MALICIOUS

Office (OOXML) / .XLSX

19.7 KB Created: 2021-07-28 15:16:30 UTC Authoring application: Microsoft Excel 16.0300
MD5: c70f8e0bcb114bc7e6dd688b63da90f1 SHA-1: 183e9930a7a2f449fd2bcabb44a925663da2aa52 SHA-256: a566767c8788be9740934447f91402a0214f424b9ef32689c8247fedbacdefdd
262 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File T1071.001 Web Protocols

The file is an XLSX document containing a Workbook_Open macro, which is a common technique for initial execution. The macro utilizes WScript.Shell and CreateObject to execute obfuscated VBA code. This code appears to be designed to download and execute a second-stage payload, indicated by the use of Shell() and the suspicious nature of the extracted VBA code, although it is heavily obfuscated and truncated. The presence of these indicators strongly suggests a malicious downloader.

Heuristics 7

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
6a79f0682bbe607489637a1717e63d5de363e7d4d23728c921cbbbaf7f5f9e9f		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 8376 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 10 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
3c1ea67c8e9ec91f3d949876013e70fa40655186410bba9fe992e426e58f7d59		 vba-project OOXML VBA project: xl/vbaProject.bin 27648 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 10 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.