Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 b77d118f888279b6…

MALICIOUS

Office (OOXML) / .XLSM

42.6 KB Created: 2022-05-22 13:32:02 UTC Authoring application: 16.0300 First seen: 2022-05-25
MD5: dda8705c963cad14435f44dd2c5c1f69 SHA-1: aaa636323e4eec097d8f0647538d1a5c64061d0e SHA-256: b77d118f888279b6ac72822ea0c048bcb94afa351f5308d1f1505a6ba4fffa01
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1059.003 Windows Command Shell

The sample is an XLSM file containing VBA macros. The macros utilize the URLDownloadToFileA function to download a payload from an unknown URL and save it as 'calc'. Subsequently, the Shell function is called to execute the downloaded file. The document body contains obfuscated text, which is likely a lure.

Heuristics 4

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b958b19c1e4f14ba0dceda51c9aee6b6c576c19e1d9a42c5946c7f1c25b3886e		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1800 bytes
vbaProject_00.bin
efca8b320a41473397ad07f85aa7cd3f53ae1a59082855b4152e964571d8de62		 vba-project OOXML VBA project: xl/vbaProject.bin 16896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.