Office (OOXML) / .XLSM malware analysis — malicious · bfee589efb80fccd

MALICIOUS

Office (OOXML) / .XLSM

102.3 KB Created: 2020-06-22 08:40:51 UTC Authoring application: Microsoft Excel 16.0300

MD5: 4dd9dfc92887e8c02cbc54a2abf73fb2 SHA-1: f7586d41577ed314ef5794072ddffef838996088 SHA-256: bfee589efb80fccdc2c19e16b54fa19d2a9ee7f5c359e0340cd568dce09f8ecb

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell

The file is an XLSM document containing VBA macros. A critical heuristic indicates the presence of a Shell() call within the VBA code, which is commonly used to execute arbitrary commands. ClamAV also identified this file as 'Doc.Dropper.Agent-8176176-0', suggesting it functions as a dropper. The document body consists of numerical data, offering no contextual clues about the lure. No scripts were explicitly extracted, but the VBA macro's ability to call Shell() implies it likely downloads and executes a second-stage payload.

Heuristics 3

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
ClamAV: Doc.Dropper.Agent-8176176-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-8176176-0
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `859e5e99cda3a2e7b6dd4fe749f256b2e30150410120e491d5efb7fb74db6dc5`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1154 bytes
`vbaProject_00.bin` `8adc3d6658dfca4c15004d657bcb07f743946b1f6eeb3b81db95e68fae58e28f`	vba-project	OOXML VBA project: xl/vbaProject.bin	10752 bytes
`emf_00.emf` `8ac0551339ec7e432280fef0e05e707f0d46dd75f3d88e1a37c942c4aa12d559`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	1976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.