Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 a635b98a8c5fa3ca…

MALICIOUS

Office (OOXML) / .XLSX

61.1 KB Created: 2020-11-30 03:16:14 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-05-04
MD5: ef8acfc611fa075b18f6763e7116c2ab SHA-1: 4273f48319ff0fc7201f68e8ba4a8f798ecfbb24 SHA-256: a635b98a8c5fa3cac2deda41b9f9c5b04adf161901c8405b71208062104b895d
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious Excel macro-enabled file. The VBA script contains a call to URLDownloadToFile, which is used to download a second-stage payload from the URL https://figesoyuzo.com/usda29ksagh12/15.dll. The downloaded file is saved to C:\Users\Public\45148.exe, indicating the likely intent is to download and execute a further payload. The presence of an Excel 4.0 macro sheet further supports the malicious nature of the file.

Heuristics 5

  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • External relationship high OOXML_EXTERNAL_REL
    External target in xl/drawings/_rels/drawing1.xml.rels: file:///C:\Framework\XLSB\index.png
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://figesoyuzo.com/usda29ksagh12/15.dll

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e498fe37fe580971a7f345c065937e31c3da2fd8184da7f763040ec02694a7f5		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1848 bytes
vbaProject_00.bin
f4bbd7a059fa72564c5f04d079ea541e890e110150eeadd3bea65a83e20a8ad1		 vba-project OOXML VBA project: xl/vbaProject.bin 14336 bytes
xlm_sheet_00.bin
2ff9b5022c3a3d883a08f6951e19a7e7b07039f1ec7366e06cf1496dc55b5c75		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 777 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.