Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 d82c809d73585e67…

MALICIOUS

Office (OOXML) / .XLSM

438.0 KB Created: 2021-07-28 10:37:27 UTC Authoring application: Microsoft Excel 12.0000
MD5: a29dcccadc623feb00357e426cfa3fee SHA-1: b3ebefd871e5c94718897d80b61ab09e2fa5088d SHA-256: d82c809d73585e67d134798aad150bec8fd431af3ad70545c416518b974f1f58
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell

The sample is an XLSM file containing a Workbook_Open macro, which is a common technique for executing malicious code upon opening. The macro constructs a path for a Run key entry, "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy", and then uses CreateObject to execute a command. This command appears to download and execute a second-stage payload, as indicated by the concatenation of strings to form the executable path and the subsequent execution. The use of Environ() and Cells() suggests obfuscation to hide the true nature of the executed command.

Heuristics 5

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
182deceeb51b35c7dc67acd5d041b6746a975f7b869553d9c457ba9121533621		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1146 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
13ec60b8b1e3b7e4ad87b3d8cad84ac956e44adbc2ccf6e1b14bec42640aa62d		 vba-project OOXML VBA project: xl/vbaProject.bin 9216 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.