Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 cf0b088eebc8a8f3…

MALICIOUS

Office (OOXML) / .XLSM

30.7 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-03-22
MD5: 3ab1c6899154173b4310a817762b483f SHA-1: d64e673155a3a9ca39846e9ebd5761d132e7bd34 SHA-256: cf0b088eebc8a8f34701f9fc9146a45296fc0f002e2c660a519b5b3b1d9e2bc8
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

The sample is an XLSM file containing VBA macros. The 'GetObject' heuristic firing suggests the macro is attempting to interact with external objects or files. The VBA script, although obfuscated, contains calls that appear to construct a URL and download a file, likely a second-stage payload. The script attempts to reconstruct the URL 'http://www.example.com/payload.exe' and execute it.

Heuristics 2

  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
5fc6932a86fc6b2279f3bb1be7fc307d7a9d7ed34c46fcbfea0ff63853009bc6		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 13517 bytes
vbaProject_00.bin
db3664cc82fb5afd5ee2d6e3b23a3bc3fccdc34a3d46cadb974260374c2f219c		 vba-project OOXML VBA project: xl/vbaProject.bin 63488 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.