Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 b16ef1dc62ecbd32…

MALICIOUS

Office (OOXML) / .XLSM

52.1 KB Created: 2022-01-04 14:11:58 UTC Authoring application: Microsoft Excel 15.0300
MD5: b329e844cf2595ce0882fc0b90b4eb18 SHA-1: df71db807ec43de012040e12cad06d7a9f3641ce SHA-256: b16ef1dc62ecbd325038ee197b8eec483bd4fcccef24471ee3ccee67414d0870
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The sample is an XLSM file containing VBA macros. The critical heuristic OLE_VBA_SHELL indicates the presence of a Shell() call. The VBA script reconstructs a PowerShell command to download and execute a file from 'http://dbl8.data.hu/get/28294/1034982/Wqfap.exe' and saves it as 'Nchrwjxjodzkauvknxh.bat' in the public directory. It also attempts to establish persistence by writing to the registry key 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy'.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
03b690cf15e84d5969b1ad535600fd36fc52297abfdd4267a2fb0275dca1ae24		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2390 bytes
vbaProject_00.bin
95c6802df2312117745f6a7f0d7219e12579d67e5749a757b8aed62c11e992fc		 vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.