Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 b318b7f0a4d0a5d0…

MALICIOUS

Office (OOXML) / .XLSM

144.8 KB Created: 2021-08-19 14:03:52 UTC Authoring application: Microsoft Excel 15.0300
MD5: 9d7d66521b88a6ddd60d2685908bb85f SHA-1: 9adada416446108e75539cac9c9dc85e37eb116c SHA-256: b318b7f0a4d0a5d038a93b34ac6cf2c87b5f899559a73e3669c841896d261c6c
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

The critical heuristic firing for Shell() calls in VBA indicates that the macro is designed to execute external commands. The VBA script contains obfuscated strings that, when decoded, reveal a PowerShell command. This command downloads an executable file from 'http://hanafoodco.com/wp-content/plugins/masterx/ETS_0310200456_0607301.exe' and saves it to a location specified by the environment variable '%env:APPDATA%\Cqxmalri.exe', then executes it. The script also attempts to use 'powershell.exe' and 'pwsh.exe'.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
4fbbbfd227356f0c3828fcdddb2135c21a12d61d90c9f4ab1760b81215378998		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2501 bytes
vbaProject_00.bin
f4ef5b50e0f53ffc5af87a4e9852c0f28ee740b27fb2b799a2b9cb02cd4b0642		 vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.