Office (OOXML) / .XLSM malware analysis — malicious · a7210d9c96813885

MALICIOUS

Office (OOXML) / .XLSM

41.5 KB Created: 2022-07-07 08:42:04 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-07-07

MD5: 3239e6d9c2e6b01628b10376e01bc3f8 SHA-1: 6a58d87110dcf830495cb5091a9d5f4b1803c982 SHA-256: a7210d9c96813885238dcd4c7d6a6c08cb41220c65d7ce547ec17fde959d233e

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The critical heuristic 'OLE_VBA_HTTP_DROP_EXEC' indicates that the VBA macros within this XLSM file are designed to download a file from a URL using HTTP and then execute it. The script utilizes CreateObject and GetObject calls, common in macro-based malware, to achieve this functionality. The obfuscated string 'MM.LT6SLXHP.X2MT.0' is likely used to instantiate an object for network communication, further supporting the download and execution of a payload.

Heuristics 4

VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `00b4924bd9811134b5a41c89f3dae41816e15e4f7cad74b80a40f687e45f088d`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	4121 bytes
`vbaProject_00.bin` `51372fc984d6d5ad245e17a80df355e4c104f6e983a8cbbb897e5b82bab14db7`	vba-project	OOXML VBA project: xl/vbaProject.bin	37888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.