Office (OOXML) malware analysis — malicious · d0c6bec5228d425d

MALICIOUS

Office (OOXML)

57.5 KB Created: 2021-08-03 16:26:48 UTC Authoring application: Microsoft Excel 16.0300

MD5: e80fffd3c3b314dabd9b10217c7f3970 SHA-1: e9ab381be1305129b78a5063af1087dbd56419b8 SHA-256: d0c6bec5228d425d9e548d3fd6e87ee0e1882258b622932489267750f569e854

208 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1559.001 Component Object Model Hijacking T1218.011 Signed Binary Proxy Execution: Rundll32

The sample is an Excel document containing VBA macros that utilize WScript.Shell and CreateObject to read a registry key related to Microsoft Edge. The script then appears to call a subroutine 'SelLoop' which is truncated, but the overall behavior suggests an attempt to gather system information or execute a secondary payload. The presence of WScript.Shell and Shell() calls strongly indicates malicious intent.

Heuristics 6

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
External relationship medium OOXML_EXTERNAL_REL

External target in xl/externalLinks/_rels/externalLink1.xml.rels: Selenium Updater 1.00 - Backup.xlsm
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `6906f7379bfaef5e5bf6073f9db61338f3856d0c196ba07cd6519997a3182740`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	3878 bytes
`vbaProject_00.bin` `1f4247648649dae67fb98e29f57c21450ecb32718ae6557d5717bd0d141f3ebf`	vba-project	OOXML VBA project: xl/vbaProject.bin	36864 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.