Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 ca6cc70d74efc75a…

MALICIOUS

Office (OOXML) / .XLSM

110.3 KB Created: 2020-06-29 07:21:29 UTC Authoring application: Microsoft Excel 16.0300
MD5: c4deec389d7dc503009a4c5bd7c63588 SHA-1: 972bb13b31324ff46d8e93cefbc340ecd842f884 SHA-256: ca6cc70d74efc75a530234f9cc97a751b3fd713ca11d2235db7436e4f00cb52e
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is an XLSM file containing VBA macros. Heuristics indicate the use of Shell() and WScript.Shell, suggesting the execution of arbitrary commands. The ClamAV detection name 'Doc.Dropper.Agent-8383926-0' strongly implies a dropper functionality, which typically downloads and executes a second-stage payload. The document body content is numerical and does not provide contextual clues for the attack pattern.

Heuristics 6

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • ClamAV: Doc.Dropper.Agent-8383926-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-8383926-0
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
292795551001817bd985f45adf881040d493d201479fbe4bcdfc83747a4242c6		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1257 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
vbaProject_00.bin
b29c0aae178a0e8227015abbff702251971883eff1eb551b0e7e9d0014fbd29d		 vba-project OOXML VBA project: xl/vbaProject.bin 10752 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
emf_00.emf
63d5db2c6422a9453c65a1e20c99b3437a9aedc71f9053896ee2dc73dcca8803		 ooxml-emf OOXML EMF part: xl/media/image1.emf 2380 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.