Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 b527de9bd7fb3aba…

MALICIOUS

Office (OOXML) / .XLSM

65.5 KB Created: 2022-09-20 07:24:03 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-09-20
MD5: 484c75eff79909e062bf68cde5f07479 SHA-1: 4a892f28c3f518de7a32e30fd3891eb8950f4929 SHA-256: b527de9bd7fb3abab3fc4b0cd95c46ebe2524b660cb6a970042272ae07a2689e
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The critical heuristic OLE_VBA_DOWNLOAD indicates the presence of URLDownloadToFile within the VBA macro, suggesting the file's primary purpose is to download and execute a secondary payload. The Environ() call heuristic hints at potential environment variable manipulation, possibly for evasion or locating download paths. No specific family could be identified, but the technique is common for initial payload delivery.

Heuristics 3

  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
0f6398755668acff99ab07b3695ce6c4f9a8fa87d7304e1f17966737d53ebcac		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 10512 bytes
vbaProject_00.bin
d8744a50702aef64a447672e8fe7d1bc9c236bc502b1ee2c1e603ebb4897b906		 vba-project OOXML VBA project: xl/vbaProject.bin 40960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.