Office (OOXML) / .XLSM malware analysis — malicious · f25609f396644e45

MALICIOUS

Office (OOXML) / .XLSM

29.3 KB Created: 2022-08-03 08:47:31 UTC Authoring application: 16.0300 First seen: 2022-08-03

MD5: eae2fa763b7c00ca4b7d5f57c5d3ea0d SHA-1: 02e8ed97768da626339c5a5b849c0fa900b9668e SHA-256: f25609f396644e4593527a1d550ba0c1626926df6c619929e2766fd3c2b72ebf

168 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The critical heuristic 'OLE_VBA_HTTP_DROP_EXEC' indicates that the VBA macro downloads a file from an HTTP URL and saves it to disk. The script uses 'CreateObject("MSXML2.XMLHTTP")' and 'CreateObject("ADODB.Stream")' to perform this download. The reconstructed URL 'tp:/ocmwngWPesrSMXLTGD.' suggests a malicious download attempt, likely leading to the execution of a second-stage payload.

Heuristics 5

VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `dea24232ff92ae1bad423d09cdfa17808794bf347bda00349244f66500234fa3`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2850 bytes
`vbaProject_00.bin` `8916fc04eb9b753833e39ea8d67ba779b86a7c2d0e90dc49ffa54f0d5a0f33cb`	vba-project	OOXML VBA project: xl/vbaProject.bin	21504 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.