Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 b3611898ab09f4bc…

MALICIOUS

Office (OOXML) / .XLSM

34.4 KB Created: 2022-04-10 19:02:35 UTC Authoring application: 16.0300 First seen: 2022-04-11
MD5: d40bfad72dd13a14ed745827ba2a40fc SHA-1: d5cd2e93fb8330f6830b03d389ee328696367f00 SHA-256: b3611898ab09f4bc4cee71dd84e14cbe2e1262ab6b2147ac2a4a2578f815f531
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is an XLSM file containing VBA macros. A critical heuristic firing indicates the use of URLDownloadToFile, suggesting the macro's purpose is to download and execute a second-stage payload from a remote URL. The VBA script also contains structures related to process creation, further supporting the payload execution intent. No specific family could be identified.

Heuristics 3

  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
593d8c710a9f685954d85f7570fcf3a1792fd7ea67e12c13dca2a29f83295578		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 10626 bytes
vbaProject_00.bin
f84aaa1ae34b6ea78f84cf3fec6b289f71d7ccdebd5f5c787141350b1d63b161		 vba-project OOXML VBA project: xl/vbaProject.bin 37376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.