Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 cff18fed600a3731…

MALICIOUS

Office (OOXML) / .XLSM

438.4 KB Created: 2021-07-28 10:37:27 UTC Authoring application: Microsoft Excel 12.0000
MD5: ebe0fb3b67cf38d3bdec7f62a08b50dd SHA-1: ab9150f74d09c686fdccafa2424d2a2d3cae1fca SHA-256: cff18fed600a3731c39199cb2ef0565f7c1499387a9f5a6be605e7f9f75e510b
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell

The sample is an XLSM file containing a Workbook_Open macro, indicating it's designed to execute code upon opening. The macro uses CreateObject to execute a command, constructing a path to a file named 'payload.exe' which is likely the second-stage payload. The Environ and Cells functions are used to dynamically construct the path and potentially the command to execute, suggesting an attempt to obfuscate the payload's location and name. The macro also writes data to a file, but its content is not directly discernible from the provided script.

Heuristics 5

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f82dcdf0d980a111e48d6b7e8bf0f569253aedffa510fc072db534d1f0e25795		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1094 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
a8190446c34a7cd3fa80f524a72f332a518366e3b88fd60d25ad5c64d5927d92		 vba-project OOXML VBA project: xl/vbaProject.bin 9216 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.