Office (OOXML) / .XLSM malware analysis — malicious · e5c792a3e30d93d8

MALICIOUS

Office (OOXML) / .XLSM

36.2 KB Created: 2022-07-07 10:01:42 UTC Authoring application: 16.0300 First seen: 2022-07-07

MD5: 4c230680122b1f80a845c04cdfba1377 SHA-1: 3ebd6de1cbf7a6df89efeb8833084427e6d83b9c SHA-256: e5c792a3e30d93d8f3d1cb79607c46901a54d847799a6a93fbeaf54fc7799308

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The critical heuristic 'OLE_VBA_HTTP_DROP_EXEC' indicates that the VBA macros are designed to download a file from the internet and execute it. The script uses 'CreateObject' with a suspicious string literal 'MM.LT6SLXHP.X2MT.0', likely to instantiate an object for network communication and file handling. This strongly suggests the macro is a downloader for a secondary payload.

Heuristics 4

VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `2af51cd2413f31bf9567f02a21e1d4a58181cd3127424cf662f7f95cc6896bbb`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	4136 bytes
`vbaProject_00.bin` `ece54141fc27f6418e488c12dd325fe568d5bcc4216c63542cf142e9f230a34a`	vba-project	OOXML VBA project: xl/vbaProject.bin	23552 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.