Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 a9114ff86dc7f29b…

MALICIOUS

Office (OOXML) / .XLSM

190.7 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300
MD5: 9bb1398aea5021b795f8ab523acced42 SHA-1: 6d7718c84b8f0ec76a41e6883cc4dd9317151116 SHA-256: a9114ff86dc7f29b771780181dbbc55a1d283daaa4d2fda77c853c2dda294036
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic

The file is an XLSM document, indicating the presence of VBA macros. Heuristics confirm VBA macros and a GetObject call, often used for obfuscation or execution. The DOC BODY contains a PowerShell command that reconstructs a URL ('http://91.235.143.133/tfdff/mef.vbs') and executes it. This PowerShell command is designed to download and execute the VBScript payload from the specified URL, likely serving as a downloader for further malicious activity.

Heuristics 2

  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
df7e81884d827a6935423410c1f3eed46954c080b9216323bf77e5e8c411eb0d		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2433 bytes
vbaProject_00.bin
35350114ce75bcbcc9b89cb11763d7a7b1aa979fdf4cf46d436379b525383db6		 vba-project OOXML VBA project: xl/vbaProject.bin 22528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.