Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 db4158ecdd18f5f5…

MALICIOUS

Office (OOXML) / .XLSM

45.0 KB Created: 2022-04-27 07:05:41 UTC Authoring application: 16.0300 First seen: 2022-04-27
MD5: f8f0ff134975093b25fa7d1c7f3eec04 SHA-1: 73ffe5426131f9cf43dea9ee6c602c2acf773ec5 SHA-256: db4158ecdd18f5f5a706b12d2af93169199e02a6d53270acc3f233aa2d459ed2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is an XLSM file containing VBA macros. A critical heuristic firing indicates the presence of URLDownloadToFile, a function commonly used to download and execute malicious payloads. The VBA script likely uses this function to fetch a second-stage payload from a remote server, as suggested by the heuristic. No specific family could be identified, but the technique is consistent with common macro-based malware delivery.

Heuristics 3

  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a4b9765504967bb99f642e6c90771ccae5fb3fe5c612ccd4c7d39ceff93a69b4		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 10877 bytes
vbaProject_00.bin
8a23dbbc9dca24f24ecc35e05ea5bd2d7a3a9e056e9393da5b812a894ca2edc2		 vba-project OOXML VBA project: xl/vbaProject.bin 38912 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.