Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 b2281e8e33f7ec70…

MALICIOUS

Office (OOXML) / .XLSX

63.3 KB Created: 2020-05-27 09:14:17 UTC Authoring application: 16.0300
MD5: cccfdbf33057bf6e55dba54c3aa1a38a SHA-1: 6f9c72c53703020ad78f013a8fa794a1118e56e3 SHA-256: b2281e8e33f7ec70cf3d48a5335f87c9186bb1365eb5ecc9081825593dc110e3
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The file is an OOXML spreadsheet containing VBA macros. Critical heuristics indicate the use of Shell() and WScript.Shell, suggesting the execution of external commands or scripts. The ClamAV detection name 'Doc.Dropper.Agent-7915678-0' further supports its nature as a dropper. The VBA macros likely download and execute a second-stage payload.

Heuristics 6

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • ClamAV: Doc.Dropper.Agent-7915678-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7915678-0
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8f97539bb215484426cdd968fc034de1bcfe9bda395adc64858e49160fbc66d5		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1179 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
vbaProject_00.bin
eec1453f3bf5bc78f19304d2dd16aaafb9ca30917db2803b7a85a722a56a0816		 vba-project OOXML VBA project: xl/vbaProject.bin 10752 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
emf_00.emf
76f287b1e3251b7e0e5ba27bfb05b35831150cc665de00f9fd2d807e2d2a028d		 ooxml-emf OOXML EMF part: xl/media/image1.emf 1976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.