Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 b00be6420891a62e…

MALICIOUS

Office (OOXML) / .XLSM

85.5 KB Created: 2022-01-06 00:01:33 UTC Authoring application: Microsoft Excel 15.0300
MD5: 40728a8aa62636e4de2e4ed389f79ee4 SHA-1: 7ebc2c2babe517fc40651c9d1fa371877cb64217 SHA-256: b00be6420891a62e2643fa8ccc9a9aaefc73f8606661b10f70f91b3a185e76cf
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell

The VBA macro contains a critical `Shell()` call, indicating it can execute arbitrary commands. The script reconstructs a PowerShell command to download a file from 'http://ddl7.data.hu/get/34293/13162105/aog.exe' and save it as 'enptgrawg.exe' in the user's environment path, then executes it. It also creates and executes a batch file named 'Xufqgvnoel.bat' which appears to be a wrapper for the PowerShell command. The `Workbook_Activate` subroutine ensures this malicious activity executes upon opening the document.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
5cd3a9d3874c6cc31b0c7f1677ee111cbc9f9e3e7609a2884f4756f19fa818a1		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2317 bytes
vbaProject_00.bin
9d0b9cf6bb63d546e2c72c2709e585fa1f10fdb3cd58e541deb9f69362da889f		 vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.