Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 f66fe29569be1771…

MALICIOUS

Office (OOXML) / .XLSM

142.2 KB Created: 2021-02-10 00:37:58 UTC Authoring application: Microsoft Excel 15.0300
MD5: 7a676f47c83d58544756e68911f7e9f3 SHA-1: 77d8c2bf11bad21aa152d58a0b684dc534f3ed90 SHA-256: f66fe29569be17717a1ac2e7e6d1990a78256824e9badbb93b18c6c7cd1b5bee
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The sample is an XLSM file containing VBA macros, specifically a Workbook_Open macro that utilizes WScript.Shell and the Shell() function. This indicates the macro is designed to execute arbitrary commands or scripts upon opening the document. The presence of these critical heuristics strongly suggests the file is a macro-based downloader or dropper.

Heuristics 6

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
5ef99ba8792ce56f7e22814b69ef348706b5929cf3a4ea3e7338622f0d6ef32f		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2067 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved artifact contains 2 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
1f85e5c87ab6d88627240f9c1c191373ab4cceaeb4330083b730158353204e41		 vba-project OOXML VBA project: xl/vbaProject.bin 16896 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved artifact contains 2 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.