Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 de939047dbb45174…

MALICIOUS

Office (OOXML) / .XLSM

88.1 KB Created: 2021-10-23 15:11:41 UTC Authoring application: Microsoft Excel 15.0300
MD5: de0cec0bc29b02edb788329fd035e575 SHA-1: 3f688617e40639fbcc005021e708b5cf05a15d70 SHA-256: de939047dbb451746a9ce38b1cafe34512f4f73c97ec2c8377babf14f7af70c4
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell

The critical heuristic firing indicates the presence of a Shell() call within the VBA macros. The script reconstructs a PowerShell command that downloads an executable file named 'Sega5.exe' from 'http://ddl8.data.hu/get/246747/13107078/Sega5.exe' and then executes it. This PowerShell command is written to a batch file named 'Wprowyrtx.bat' and subsequently executed. The confidence is high due to the clear payload download and execution mechanism.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
022bbdc3f4d93a55ec1e44ea87c6e81928b816deff6b764f8e4403d2dab7be4f		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2398 bytes
vbaProject_00.bin
343934d88b419a5fffb68a75bfffdafd6a5d95ff374aa1efb7ec5d05931019e7		 vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.