Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 e97b5976bfc0e4e4…

MALICIOUS

Office (OOXML) / .XLSM

45.2 KB Created: 2022-07-20 09:00:31 UTC Authoring application: 16.0300 First seen: 2022-07-21
MD5: 9f8933319edf713f3cf393f9ab4fb129 SHA-1: 4cc4ebc0b4b5d5c7d9fbd32d2cbd9ae3cf2a89a1 SHA-256: e97b5976bfc0e4e458702328789eb210371e5a1959efb33ef04aaf55d4c6b707
168 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The critical heuristic OLE_VBA_HTTP_DROP_EXEC indicates that the VBA macro downloads and saves a file to disk. The script attempts to construct a URL by concatenating strings, which appears to resolve to 'http://19g3s6rv7er4.s2.free.fr/96t/eao'. This functionality strongly suggests the sample is a downloader for a second-stage payload.

Heuristics 5

  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
46be2829e77a3628e528d8e2dcee67271fedc0cdadddd9e1d084a3e17e42a617		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3728 bytes
vbaProject_00.bin
5f7e04a3a6b0cbf656c54ab475b76d7a7b585e213edf05510e84b06457973a00		 vba-project OOXML VBA project: xl/vbaProject.bin 31232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.