Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 c80a67e06086a3a0…

MALICIOUS

Office (OOXML) / .XLSM

263.7 KB Created: 2021-04-12 15:51:01 UTC Authoring application: Microsoft Excel 15.0300
MD5: db16a14a0fe47030218ac4aa80670139 SHA-1: 556bfe14c2a952366b2e488e47cf095cda47e43d SHA-256: c80a67e06086a3a09b926bef2f557f1e0f9fba7fb9291a030de257f1cff18882
268 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The critical heuristics indicate the presence of VBA macros, specifically a Workbook_Open macro, which is designed to execute automatically. The critical ClamAV detections confirm this is a known malicious agent. The extracted URLs are highly suspicious and likely serve as download locations for secondary payloads. The VBA macro's intent is to download and execute a second-stage payload from the embedded URLs.

Heuristics 8

  • ClamAV: Win.Malware.Agent-9859837-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Malware.Agent-9859837-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://demodoctor.tdejob.work/Dr-Trina-Karmakar/css/KtPya1rG.php
    • https://matchlesstravels.com.pk/backup-12-2-2019/wp-admin/css/colors/blue/6kvaiF01dZGb.php
    • https://automanic.tdejob.work/hqimpLV9qAByF.php
    • https://eelara.com/wp-content/plugins/smart-slider-3/Nextend/Framework/SfvcJZ0DFhvA8jR.php
    • https://labonno-one.seebonerp.com/system/database/drivers/pdo/subdrivers/oFZs67rwiEDNI.php
    • https://rockin1000.com.br/code/img/SocialMedia/IThiDYMU.php
    • https://lifetarget.com.pt/hWNJhFYiJ.php
    • https://opticahealthvision.com/wp-includes/js/tinymce/themes/inlite/6oc5yCaQGY0zv.php

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c2d5c3107222bc035d0c89dfabd3b10c4f01e21d91273b3865881c33d7671f61		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 67224 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 18 Chr/ChrW string-construction calls. Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
f861f8a876c7d0b8fc7a024e919ad71d820a763aa1ab958f3a02b6c490c09021		 vba-project OOXML VBA project: xl/vbaProject.bin 199680 bytes
Detection
ClamAV: Win.Malware.Agent-9859837-0
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.