Office (OOXML) / .XLSM malware analysis — malicious · d461810943d78b80

MALICIOUS

Office (OOXML) / .XLSM

107.0 KB Created: 2020-05-21 18:50:41 UTC Authoring application: Microsoft Excel 12.0000

MD5: 4737253a5c71548b924a422fa4dc40ea SHA-1: 148ab635c3d0250963c00b5702e3d2ba534d1b5a SHA-256: d461810943d78b803fbc9a0ea85d16325af10764243d7d3d6b7b24d52efe685c

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.002 Spearphishing with Malicious Attachment T1059.005 Visual Basic

The critical heuristic indicates the presence of a VBA macro designed to execute a PowerShell command via WScript.Shell. This command is obfuscated using caret encoding and an ASCII array, and it likely downloads and executes a second-stage payload. The Workbook_Open macro firing further suggests automatic execution upon opening the document.

Heuristics 4

VBA WScript CLSID PowerShell runner critical OLE_VBA_GETOBJECT_CLSID_POWERSHELL_RUNNER

VBA auto-exec macro instantiates WScript.Shell through its COM CLSID with GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8"), repairs an obfuscated '^owershell' command, and runs an ASCII-array PowerShell IEX downloader. This is a high-confidence macro execution chain.
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `742aff42eacf1ff154a59ab999094317379b0b15a215a3e76d3267546f12f455`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	9069 bytes
`vbaProject_00.bin` `f4c044144680516e6427ced02c88e8fbf903c5033b97080ca221b43f49625831`	vba-project	OOXML VBA project: xl/vbaProject.bin	38912 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.