Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 c0fb3410e2ddca4f…

MALICIOUS

Office (OOXML) / .XLSX

196.6 KB Created: 2021-04-21 13:01:18 UTC Authoring application: Microsoft Excel 15.0300
MD5: bad9949e5f34dea3453014179e9f4705 SHA-1: 4593a7d5c39f17b357923a8ca450353e4267d305 SHA-256: c0fb3410e2ddca4fff784a5aa09f4bc22d46db70a23f934ed69c42c8b98c9d36
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The sample contains a Workbook_Open macro, indicating that malicious code executes automatically upon opening the spreadsheet. The macro utilizes CreateObject to likely download and execute a second-stage payload from one of the provided URLs. The presence of Environ() calls suggests potential attempts to gather system information or modify the execution environment.

Heuristics 6

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://4startups.co.za/wp-content/themes/twentytwentyone/template-parts/content/2RqyuNia.php
    • https://hanoichinesechurch.com/wp-content/plugins/wordpress-seo/vendor/composer/GHJG9xAh.php
    • https://trijayatower.com/wp-content/plugins/creame-whatsapp-me/public/css/3hOcD4Ykt.php
    • https://zile75yilasm.com/tmp/install_4dbf17ff8c4a3/mod_vvisit_counter/images/digit_counter/RsJQrl381qAv.php
    • https://easitrac.co.za/images/tpDv5fQfXEc9.php
    • https://bestel.hallomaasland.be/css/icons/weather-icons/sass/icon-classes/3HpGEmSu0.php
    • https://prodigitalize.com/RTg3Z9Jy.php
    • https://guidewire.motifdemos.com/node_modules/three/src/animation/tracks/2aE3jvHY.php
    • https://www.volsr.org/wp-content/plugins/w3-total-cache/inc/email/rVC4EhMUt.php

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
0cfe4d4fc942c840a47dbd40660f3add456eb6032b296f5011e0459fb54da3e3		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 9400 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
d9c95a739a66c9a687dfaf9fb924131d8074bc3908b64737f770c2c3ceb0cf60		 vba-project OOXML VBA project: xl/vbaProject.bin 51200 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.