Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 c85ab0293b67d280…

MALICIOUS

Office (OOXML) / .XLSM

47.8 KB Created: 2021-11-17 02:06:11 UTC Authoring application: Microsoft Excel 15.0300
MD5: 5376f38c61fd06af4227f763fb9a9b91 SHA-1: 23c4a46e61879a1c4bf2fc2aff5d82f6c4db4e2b SHA-256: c85ab0293b67d28032dcd903ce9f7eba5ded834c6f831b04ab829f636a936b7b
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

The document contains VBA macros that use the Shell() function, indicating malicious intent. The script attempts to download and execute a second-stage payload from the URL 'http://ddl8.data.hu/get/283048/13125545/jogb.exe' using PowerShell. The fake error messages in the document body are a lure to encourage users to enable macros.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
0f06b57e2086837dcc7df89427138f1afb3d3f2af215d306e960e0cbc6e7f774		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2479 bytes
vbaProject_00.bin
a8aed140eee99a04da34f623e5afb8eeb20c30b8f93601fa430877f4778bfe98		 vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.