Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 b6b6eb4c3e244e24…

MALICIOUS

Office (OOXML) / .XLSM

298.5 KB Created: 2021-04-14 15:44:18 UTC Authoring application: Microsoft Excel 15.0300
MD5: 86a64ae3da7702b0759c2d265a193188 SHA-1: 473b95b1ae2302ad3ee45cce76afbe6702dd5c46 SHA-256: b6b6eb4c3e244e24fa003c83d6e9cee1b90c5687ea5067db21f341a4093924ad
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.002 Spearphishing Attachment

The sample is an XLSM file containing a Workbook_Open macro, indicating automatic execution upon opening. The macro uses CreateObject and Environ calls, suggesting it attempts to interact with the system or environment. The document body contains obfuscated text and URLs, likely intended to disguise the malicious payload and lure the user into interacting with the document. The presence of VBA macros and the Workbook_Open event strongly suggests the macro is designed to download and execute a second-stage payload from one of the listed URLs.

Heuristics 6

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://api.magicalabs.com/hHVaGPuBT9dSxh.php
    • https://oremoralesabogados.com.pe/Scripts/WqPCodwcgmkqSZ.php
    • https://safraprime.com.br/img/portfolio/full/7CjadBxFsuro.php
    • https://rutasmovil.mx/bar/lib/datatables/Buttons-1.2.2/css/X1hUY4rqtmPDv1O.php
    • https://host-per.com/chologringo/images/vfZoPyJUw.php
    • https://draniruddhaghosh.co.in/5sB1De5W5iC96y2.php
    • https://erlima.com/userfiles/_thumbs/Images/_vti_cnf/3dlbKnTC.php
    • https://razapparelsbd.com/ima/wp-content/uploads/2021/01/StSke0U0.php
    • https://rewardunlimited.us/tr3O9zb4o5ptybB.php

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f4cbe8b1a19566752e6839bedffaa8cfea12d1289d7d463ffafe0bbb329269ee		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 68603 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 38 Chr/ChrW string-construction calls. Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
1be653d500c26bd495b36251c8de80a1a620d32c33f9d67d4be27beb982e8a40		 vba-project OOXML VBA project: xl/vbaProject.bin 204800 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.