Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 b6ab635fbb1283fa…

MALICIOUS

Office (OOXML) / .XLSX

5.06 MB Created: 2021-05-17 13:32:54 UTC Authoring application: Microsoft Excel 15.0300
MD5: d43aa3d1c016cd539ee0d7696058525d SHA-1: 3f51539b8c37400f521858ca7bf45f16df231308 SHA-256: b6ab635fbb1283fa9ed837b89dc606098e79fcef505663c1efdadce51e4fcf63
290 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The file is an XLSX document containing a Workbook_Open macro that utilizes Shell() and CreateObject() calls. This strongly suggests the macro is designed to download and execute a secondary payload. The ClamAV detection as 'Doc.Downloader.Emotet-10019767-0' further supports this, indicating a downloader functionality. No document body text was available for analysis, so the rationale is based on the macro behavior and AV detection.

Heuristics 8

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • ClamAV: Doc.Downloader.Emotet-10019767-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-10019767-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL https://irecruiter.immentia.com/storage/framework/cache/data/0e/nC7vWe43YwJjj.phper=SwB
    • https://deymoncosta.agenciahpm.com.br/wp-content/themes/twentytwentyone/template-parts/content/4DH7rdtEDZjDhl.phpNDr&+!JqNDr&+!Jq
    • https://wrm.focomedia.com.br/bpT7xWIHWSppU.phpcdhaEQ
    • https://blog.pelopeludo.com.br/clG7Ag6o9wKT.phpMEI#gt|w3T\znID#
    • https://sezerinsaat.com.tr/UserFiles/TemplatePreview/CEKVALF---KLAPE/s5CEJWRoRRNGgwb.php%;&j
    • https://bstreettestsite.com/wp-content/themes/Divi/css/tinymce-skin/WRqXZ4iyukc.phpEsOP

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
29db72ea19858315d2534498b6742abeb9d2155b4bcf7781e4aff47aa6edba97		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4125966 bytes
vbaProject_00.bin
a469cdb4fe2e14dea51ea2d5af9e4291b9891cfa0ad9a556495d61d551d3a883		 vba-project OOXML VBA project: xl/vbaProject.bin 7840256 bytes
Detection
ClamAV: Doc.Downloader.Emotet-10019767-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.