Malicious Office (OOXML) / .OLE — malware analysis report

Static analysis result for SHA-256 c22d9e78e405a508…

MALICIOUS

Office (OOXML) / .OLE

75.1 KB Created: 2020-06-15 08:33:52 UTC Authoring application: Microsoft Excel 16.0300
MD5: 0884c5d968d9b8bd8a2ce11a9902fb46 SHA-1: a7e827c7538e612e2b5afa6d4217786915ddbc2e SHA-256: c22d9e78e405a50881314ec4a79b7e34fec522d7a9ee1b8dbe5e8669861c6654
320 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The file is an OOXML document containing VBA macros, as indicated by multiple heuristic firings including OLE_VBA_SHELL, OLE_VBA_WSCRIPT, and OLE_VBA_CREATEOBJ. ClamAV detections (Xls.Dropper.Agent-8054171-0) on both the main file and an extracted artifact confirm its malicious nature. The presence of VBA macros and the use of WScript.Shell strongly suggest the macro is designed to execute commands, likely to download and run a second-stage payload. The document body content appears to be obfuscated or encoded data, further supporting a malicious intent rather than legitimate document content.

Heuristics 7

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • ClamAV: Xls.Dropper.Agent-8054171-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-8054171-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a2c932d5c1f994223fe4bc2a48c9177b62e8a7041dd53abab02a8a682c584235		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1135 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
vbaProject_00.bin
3976a0bf4e66a3b74c942b73e10db1b824cd3d83c66cd3575a34baf427be5c3b		 vba-project OOXML VBA project: xl/vbaProject.bin 15360 bytes
Detection
ClamAV: Xls.Dropper.Agent-8054171-0
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
emf_00.emf
9a16976c701f6813b7a8d98761299f94e5eca283636006616aebbdd14393fe75		 ooxml-emf OOXML EMF part: xl/media/image1.emf 1976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.