Office (OOXML) / .XLSM malware analysis — malicious · c293b52871aac0cf

MALICIOUS

Office (OOXML) / .XLSM

183.2 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300

MD5: fce7d2609e214a5679d52cab05df93d4 SHA-1: 027956be40f312376e21489e02c13256a53a86f9 SHA-256: c293b52871aac0cfb9ae05087ce8f0cb6e1a7c955dabcd43f8aa5e3f4f4cf881

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1218.011 System Binary Proxy Execution: Rundll32 T1059.005 Visual Basic

The sample contains VBA macros that utilize WMI to launch a process. The script reconstructs a PowerShell command that downloads and executes a VBScript from 'http://unitedwebpack.co/jug/pov.vbs'. This VBScript is then executed by PowerShell, indicating a multi-stage infection chain. The VBA's use of CreateObject and WMI for process creation, along with the PowerShell execution of a remote script, strongly suggests malicious intent.

Heuristics 3

VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `552817eaa0731a03ccadfe62a245a7510e4d24d85b48de21a65adec7c85daab7`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2075 bytes
`vbaProject_00.bin` `3443435e03f00be152054fd70dd8781e2f7ba92cee13564480ce48dc3c31dd8a`	vba-project	OOXML VBA project: xl/vbaProject.bin	33280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.