Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 e5589fa39f2ac219…

MALICIOUS

Office (OOXML) / .XLSM

102.9 KB Created: 2021-08-19 14:03:52 UTC Authoring application: Microsoft Excel 15.0300
MD5: 8eefc88446e9c96bc929eac6962d682c SHA-1: be73ebfa26c337f8b3aac9ce6223cb85d05462d4 SHA-256: e5589fa39f2ac2193d974679d599e6f4f064a358922f3ad99675859efad1f1d5
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is an XLSM file containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' indicates the presence of a Shell() call within the VBA code. The VBA script reconstructs a PowerShell command to download a file from 'http://65.2.149.25/pef/B/ip2/BAUBC0MD0WPGWH.exe' and save it as 'Defecurb.exe', then executes it. This indicates the macro's intent is to download and execute a second-stage payload.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f6a5ec3168ae730406d3e51ee3c62eb3c2861ba07d0d8362c76af9c564a958d4		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2402 bytes
vbaProject_00.bin
aa58b08619174a335b03babd81c4fdcc3fe8221b140f7b8cb16165b08c8432b4		 vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.