Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 c1442825db496e97…

MALICIOUS

Office (OOXML) / .XLSM

53.1 KB Created: 2020-06-10 10:17:11 UTC Authoring application: Microsoft Excel 16.0300
MD5: 092b7aae9bb0648757de44a1dbc2eda8 SHA-1: 7a21f1f14ca6b1ddd2eecc4f028718d867b03d0d SHA-256: c1442825db496e97bd7f58d26ee270c461cb309617c610365730ea2416b4d3d3
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The sample is an XLSM file containing VBA macros. Heuristics indicate the use of Shell() and WScript.Shell, suggesting the execution of external commands or scripts. ClamAV detection identifies it as 'Doc.Dropper.Agent-8015063-0', a known dropper. The VBA macros likely download and execute a second-stage payload.

Heuristics 6

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • ClamAV: Doc.Dropper.Agent-8015063-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-8015063-0
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
aee435eca06f92285f324a064826850a0c3a294a554954d3b54f45060e6c070c		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1205 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
vbaProject_00.bin
c1cd034edab0967f6f9e6e3caa3e2d306796d159ee2970221e90a3c209d14f0a		 vba-project OOXML VBA project: xl/vbaProject.bin 18432 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
emf_00.emf
2fa53b05b86dc7fb202ef303843eb22d9153ad8486c37f62bf78bd309e64a9a3		 ooxml-emf OOXML EMF part: xl/media/image1.emf 2760 bytes
emf_01.emf
2ba25cac6053f67d0e4499de57ae9857e23bc490186442d39a632da2832b72c7		 ooxml-emf OOXML EMF part: xl/media/image2.emf 2352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.