Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 f1d1dd276fe74f89…

MALICIOUS

Office (OOXML) / .XLSM

219.7 KB Created: 2021-05-07 12:33:16 UTC Authoring application: Microsoft Excel 15.0300
MD5: c00a98e2633fb90da58c2eec86d4c2de SHA-1: c42acd54932fb471816b8e8969db0d96ffba48bf SHA-256: f1d1dd276fe74f8975056e7c73c5daa8f3164402021e7d434a2a82746466e517
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The file is an XLSM document containing a Workbook_Open macro that utilizes Wscript.Shell to execute commands. The macro is designed to download and execute a second-stage payload from one of the embedded URLs. The ClamAV detection and the presence of a Workbook_Open macro strongly indicate malicious downloader functionality.

Heuristics 8

  • ClamAV: Xls.Downloader.TrendMicroDridex0521-9860965-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.TrendMicroDridex0521-9860965-0
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL https://firsthand.ng/wp-content/plugins/woocommerce/src/Admin/ZD21U3Bx6LCk.php
    • https://blog.techdesigners.ir/ytlRUHwAF.php
    • https://certifica.app.infoweb.boatcover.org/dt_091901820028/condivise/immagini/icone/icone-default-on/2NJsNm1KQuTMMVo.php
    • https://ammarakhizerkhan.com/wp-includes/sodium_compat/src/Core32/ChaCha20/Dn7zOdqooZVw.php
    • https://malsign.com/ICkPFoHIaO.php
    • https://natalierosenberg.com/wp-content/plugins/jetpack/images/apps/4dyIrpZd9bMQ.php
    • https://cartoonist.me.uk/wp-content/plugins/jetpack/scss/_utilities/us1svv7BFHAuE.php
    • https://intecmmesac.com/images/5xK5fW2OdjtD.php
    • https://repvoice.com/ltYn1z6L3M0Dr4.php

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
6a4859fb482aa422e6058ec9b343bf822b5773608c061385c5361b56451b37e8		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 41489 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
ac3456e44e119779594191bda3377514397a1b0396cc6fef9e65e77a1404cf2e		 vba-project OOXML VBA project: xl/vbaProject.bin 261120 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.