Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 c5549a5b5e89215e…

MALICIOUS

Office (OOXML) / .XLSM

144.9 KB Created: 2021-08-19 14:03:52 UTC Authoring application: Microsoft Excel 15.0300
MD5: 5b5f9c855fc604842ea279189e66085e SHA-1: 6db77d14c6b1fbfe6e35b4b87b26510cd052cc23 SHA-256: c5549a5b5e89215e858b49231880de36c105f068a7441a7f6d535e96d532177d
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

The critical heuristic OLE_VBA_SHELL indicates the presence of a Shell() call within the VBA macros. The script decodes a Base64 string which, when interpreted, reveals a PowerShell command. This command is designed to download a file named 'ET_010000456_063256.exe' from 'http://hanafoo3co.com/wp-content/plugins/masterx/ET_010000456_063256.exe' and then execute it. The script also attempts to save a batch file named 'Iicsfcqrfui.bat'.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b89a2fac0b6ac26d6e977797e33b2e261756b3b9dd5ab618a0bc04074f563a16		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2514 bytes
vbaProject_00.bin
ad137fe4e4ef3ae875089455af3be5835de830a691933ce446ba58da2fc01ff8		 vba-project OOXML VBA project: xl/vbaProject.bin 6656 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.