Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 f32ff0f8fe78ad69…

MALICIOUS

Office (OOXML) / .XLSM

85.5 KB Created: 2022-01-06 00:01:33 UTC Authoring application: Microsoft Excel 15.0300
MD5: fc6e8b5b521a5d4c45bdaf9e27f3d56b SHA-1: f10ae1b6d5f19bef9b14bcf68cd95b5a5242322a SHA-256: f32ff0f8fe78ad69e72c054fe28f44e6ce6b9d4109b909fa917a3a526f1c84cb
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell

The critical OLE_VBA_SHELL heuristic indicates the presence of a Shell() call within the VBA macros. The script reconstructs a PowerShell command to download a second-stage executable from 'http://ddl8.data.hu/get/288294828/Wqfap.exe' and save it as 'Xqtsmwmlhfezvoqikrbtrhz.bat', which is then executed. This indicates the document's primary purpose is to act as a downloader for further malicious activity.

Heuristics 2

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1298cc9900c6d6cc0028061bdcfdeaaac82f9c3c203509245d24195936ef703d		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2330 bytes
vbaProject_00.bin
8f9f94a10f13d365c7e095e85e51539bb3bc40a07d44dc625b543a938dc366ac		 vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.