Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 ad28560340b755db…

MALICIOUS

Office (OOXML) / .XLSM

88.1 KB Created: 2021-10-23 15:11:41 UTC Authoring application: Microsoft Excel 15.0300
MD5: fc5032b53de5cd1ce80268f93313af88 SHA-1: a31fa33e46f5486662894c59e624e7997aee8ed7 SHA-256: ad28560340b755dbc42bee1d1f438b258eef826dcdfb3043bdda1dc2f7d2dc58
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The sample contains VBA macros that, when executed, construct and run a PowerShell command. This command is designed to download a file named 'Segoa5b.exe' from 'http://ddl8.data.hu/get/246747/13107078/Segoa5b.exe' and save it as 'zoqmtu.exe' in the user's PowerShell directory, then execute it. The Shell() call heuristic confirms the execution of external commands.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
0e6ae47f3d7ac85c82820d600374d1bf2f19a4a3eb6201737e9cf469798580e9		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2401 bytes
vbaProject_00.bin
65ea4c8a54021f4f66cc8afcfe491cf69a122179dd77139912dc65aea73966da		 vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.