Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 be1267a2b58e923a…

MALICIOUS

Office (OOXML) / .XLSM

2.74 MB Created: 2022-03-23 15:37:12 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-03-27
MD5: 87e9a889cdbe4974613ad084efb579ef SHA-1: e90923f92002108d45728006cc042b5daa58f691 SHA-256: be1267a2b58e923a5e6cffeb6e5a21bf983d581cad19265968b660efae23941a
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Service Execution: Visual Basic T1059.003 Command and Scripting Interpreter: Windows Command Shell T1059.001 Command and Scripting Interpreter: PowerShell

The sample is an XLSM file containing VBA macros. Heuristics indicate the presence of VBA code that references PowerShell and cmd.exe, suggesting execution of external commands. The extracted VBA macro 'macros.bas' implements the RunPE technique, which is used to execute a payload. The macro itself is a known implementation from GitHub, and it is designed to load and execute a separate executable file. The confidence is high due to the clear indication of macro execution and the RunPE implementation.

Heuristics 5

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://github.com/itm4n/VBA-RunPE
    • https://github.com/hasherezade/
    • https://www.nirsoft.net/kernel_struct/vista/IMAGE_DOS_HEADER.html
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680305(v=vs.85).aspx
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680313(v=vs.85).aspx
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms680339(v=vs.85).aspx
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680336(v=vs.85).aspx
    • https://www.nirsoft.net/kernel_struct/vista/IMAGE_SECTION_HEADER.html
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms684873(v=vs.85).aspx
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms686331(v=vs.85).aspx
    • https://www.nirsoft.net/kernel_struct/vista/FLOATING_SAVE_AREA.html
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms679284(v=vs.85).aspx

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7d2d7496f9f3b7aa5f12d810f508d38ca8ded3fe141bd46303f972c6af7cfe8f		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 754818 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 shell/COM execution token(s).
vbaProject_00.bin
4bc81b222b43135bf0e39764cbfea062f8b0b34e1680db61d82a604f5fb6aa9b		 vba-project OOXML VBA project: xl/vbaProject.bin 8388608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.