Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 a80d07eab57b2410…

MALICIOUS

Office (OOXML) / .XLSM

144.8 KB Created: 2021-08-19 14:03:52 UTC Authoring application: Microsoft Excel 15.0300
MD5: cd02e44d708002d5675fd813991155c6 SHA-1: 8151d01a8468317565ab7865c69d16b7e4cbf462 SHA-256: a80d07eab57b241042950869403a4f8a85806fd87dca25419e0399c3d589e7d3
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The sample is an XLSM file containing VBA macros. A critical heuristic firing indicates a Shell() call within the VBA code, which is used to execute external commands. The extracted VBA macro code contains obfuscated strings that, when decoded, reveal a PowerShell command. This command is designed to download a second-stage executable from 'http://18.196.46.14/-1/11/IMG-70026000173.exe' and save it as 'Qomadbibuyrfwozzgo.bat' in the user's public documents folder, then execute it. The VBA code also attempts to save the active workbook, likely to ensure the macro runs upon activation.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8078a2c02dc94aa84791cd6ad7106ef80b4536c5b363291438e7ff8153c69dae		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2501 bytes
vbaProject_00.bin
3795d796c8889e3f71b5cdc2bb3efb8de160f6ca483f6c27ab1a7b315629f770		 vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.