Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 b6430f1c70dd393e…

MALICIOUS

Office (OOXML) / .XLSX

144.5 KB Created: 2021-04-21 12:55:42 UTC Authoring application: Microsoft Excel 15.0300
MD5: 060d95988fc565133a252aadc91ea24f SHA-1: 59a2f22c0c6622b2074f2fa59a1136b430aaffb3 SHA-256: b6430f1c70dd393e02aadb47cb51716844f13bc53dc5258887d6c257a01c5563
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.002 Spearphishing Attachment

The sample is an XLSX file containing a Workbook_Open macro, indicating it is designed to execute malicious code upon opening. The macro utilizes CreateObject, suggesting it attempts to download and execute a second-stage payload from one of the provided URLs. The presence of VBA macros and the auto-execution technique strongly suggest a malicious intent.

Heuristics 6

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://thedesignery.co.za/wp-content/plugins/coming-soon/app/backwards/LjMeqpr3UTW.php
    • https://hanoichinesechurch.com/wp-content/plugins/wordpress-seo/vendor/composer/GHJG9xAh.php
    • https://itessoftware.com/hotel-app/new/images/mens/one/EASMjuSn9IagGnq.php
    • https://farmlandsinvest.com/wp-content/plugins/woocommerce/packages/action-scheduler/nIscJ8h0.php
    • https://successnoregrets.com/__MACOSX/img/VpfxnXS5mMt7.php
    • https://erginsera.com.tr/AiHSBOUyw0C3C.php
    • https://ar.montenegroinvesting.com/wp-content/plugins/contact-form-7/modules/recaptcha/PMGHOKjn8HZhWUk.php
    • https://promocionessostenibles.es/wp-content/plugins/meta-box/css/jqueryui/EAMqn8EBm.php
    • https://www.volsr.org/wp-content/plugins/w3-total-cache/inc/email/rVC4EhMUt.php

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
9396be483703b4624d8b9876c3a448e7f415c561ec364498057468490259a240		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 9474 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
56adb7fdb032ce8d82061b7c5c318cd7e026640e451a2d5dc6bae03dec98d814		 vba-project OOXML VBA project: xl/vbaProject.bin 51200 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.