Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 dfe7300a9c96072b…

MALICIOUS

Office (OOXML) / .XLSM

144.8 KB Created: 2021-08-19 14:03:52 UTC Authoring application: Microsoft Excel 15.0300
MD5: e2993583ac8bc8d0f9b6859cb8961fa0 SHA-1: 4475b7d3235d39236e1594e36821ab2aa2473059 SHA-256: dfe7300a9c96072b502a7807bea2d4af6e977e4253f54499c7c6995b8a437872
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The sample is an XLSM file containing VBA macros. The critical heuristic firing indicates a Shell() call within the VBA code. The extracted VBA script contains a Base64 encoded string which decodes to a PowerShell command. This command downloads a file named 'ET_0410000456_0634741.exe' from 'http://hhnfowdco.com/wp-content/plugins/masterx/'. The script then executes this downloaded file, indicating a downloader or droppper functionality.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
da41436db193fec13886d3f1794ff1ccd72c2a805aa38e5df26df1f1234d35ea		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2540 bytes
vbaProject_00.bin
bfbcfd97e806505518f8c818deab30fdcdea93e1ea62fd01f34f3552377d39f3		 vba-project OOXML VBA project: xl/vbaProject.bin 6656 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.