Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 f461d0ee8f04f4f7…

MALICIOUS

Office (OOXML) / .XLSM

103.2 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300
MD5: 0f4d11ea9e5cb4b6d02ef992f5a7673a SHA-1: bb038badb9a8048618c2428f04d5d07604057fcb SHA-256: f461d0ee8f04f4f77f1116d48f0a9a7fbca6a8eceb48322fbfa49717086ed015
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The file is an XLSM document containing VBA macros. The critical heuristic 'OLE_VBA_WMI_PROCESS_CREATE' indicates the macro attempts to launch a process using WMI. The DOC BODY reveals a PowerShell command that reconstructs a URL ('http://91.235.143.133/cxwv/doc.vbs') and a filename ('doc.vbs') from hexadecimal character codes. This PowerShell command is then executed, indicating the macro's intent is to download and execute a second-stage payload from the specified URL.

Heuristics 5

  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • ClamAV: Xls.Dropper.Agent-8416981-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-8416981-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8eddfa09680f4461a452ee274219a9d408ed74ab3aef53bc0ce248f40e366b62		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1972 bytes
vbaProject_00.bin
6754b32cf199d751549952413f9eba94ec9037f7cd76a97c75c6050cf84ded24		 vba-project OOXML VBA project: xl/vbaProject.bin 16384 bytes
Detection
ClamAV: Xls.Dropper.Agent-8416981-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.