Office (OOXML) / .XLSM malware analysis — malicious · f1f34d768940b89e

MALICIOUS

Office (OOXML) / .XLSM

29.4 KB Created: 2022-08-03 10:47:00 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-08-03

MD5: 0ba0bd3e07bd7b620b2a6064c545f6c8 SHA-1: d279863b0377e979e77c61bb98f05c3607d3dbca SHA-256: f1f34d768940b89e1619ccdd457f4a8f543bc06eb0afa3ce98aece060834c3d3

168 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The critical heuristic 'OLE_VBA_HTTP_DROP_EXEC' indicates that the VBA macro downloads a file from an HTTP URL and saves it to disk. The script uses 'CreateObject("MSXML2.XMLHTTP")' and 'ADODB.Stream' to download the content from the URL 'http://opcmwng.wp.esr2/PSM2XLT60GTDD.tem' and saves it to a temporary file. This downloaded file is then likely executed, constituting a downloader attack pattern.

Heuristics 5

VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `8be9aec09a72a25ab0d1df19f5dece45db34f159454eca61d89c7c02975423ed`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2845 bytes
`vbaProject_00.bin` `acc1361d28f315dc8654b763bf36349cc48eb88c695c42c0747fe36c635e4e25`	vba-project	OOXML VBA project: xl/vbaProject.bin	21504 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.