Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 f6c3cc1bca1054d9…

MALICIOUS

Office (OOXML) / .XLSM

186.2 KB Created: 2000-11-15 22:33:24 UTC Authoring application: Microsoft Macintosh Excel 16.0300 First seen: 2023-05-29
MD5: 5470dba96e5c80346bab02ab12e37c03 SHA-1: a4005141b33a9e3eca71d242ada35526bcf4026e SHA-256: f6c3cc1bca1054d9a2fba99e7e93023c4b297ea284290398f12af311fda9b78f
370 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059.001 PowerShell T1071.001 Web Protocols

This macro-enabled Excel document contains an Auto_Open macro that utilizes the Shell() function to download and execute a second-stage payload from a remote URL. The script is obfuscated, but the intent is to download and run a file from the provided URLs. The ClamAV detection and multiple heuristic firings, including critical ones for Shell() calls and obfuscated URLs, strongly indicate malicious downloader behavior.

Heuristics 11

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
  • ClamAV: Xls.Downloader.Trojan-b333b3b333898c4c-b333b3b333898c4c-9950284-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Trojan-b333b3b333898c4c-b333b3b333898c4c-9950284-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Remote image (web beacon / tracking pixel) medium OOXML_IMAGE_BEACON
    Document references an external image URL — loads automatically on open, revealing IP address and timestamp to the server (used for phishing tracking and NTLM hash theft on corporate networks)
  • External relationship medium OOXML_EXTERNAL_REL
    External target in xl/drawings/_rels/drawing1.xml.rels: https://secure-web.mail.magnetonics.com/XZVhWNGRUUkZUV3hHVEROUFl6UnpOMlI1YkdKalEydENWVVpCWlhOSVRXcG9jM3A1VnpsNU5XOUlWRmR
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: https://secure-web.mail.magnetonics.com/XY2xkNmQyVnBjMk5IWTBSTVZGUnNVRWd2Tkdsd1EzcHlhMnRMTkhwbUt6ZDVhRlY2V0ZFNFJIZ3ZMMUJNWld4bk9HTXdXa2d5Wm1oTVdFVlVjMHRpY2xScVd
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://secure-web.mail.magnetonics.com/XVXpGMGFXTm9VRXRUYVVkVloxTkhTMHM1UnpBdk4xVTNRa2REUW10eEwxaExTa1pqYkVGb1dqZDZOSFpQWjB0VVVFRllha2RZZFZOMlEyTk9kelZFTWpCVWQydGxhM0pYU0daVVNWWnJSSFF3Y2pNd1lXbElRbTFMZHpORWRWVnhVekZDVDFndldHUk1RM1JETlc5d1duUTNjM2RqYTBSS2NYYzJlSEo1WW1nd1dtOHdVbk5VS3pCUmEzUlZPUzlLTkNzNFZsSnViMlZLUTJSWll6Z3lUV3A2Y1ZoRE5UQTJWRk14UVdGMFptVjBjakYwYnpWSWRHOXlVbTlxYWtwTExTMDNaSGd4ZW10eFpqSlBReXR1VVhaNlJra3pWQzlCUFQwPS0tNjgwN2Y5YjBhNzMyNjJmMGM3M2FkYjI0NWRiYzJmZmY2ODdkOWZkNA==?cid=173654951
    • https://secure-web.mail.magnetonics.com/XZVhWNGRUUkZUV3hHVEROUFl6UnpOMlI1YkdKalEydENWVVpCWlhOSVRXcG9jM3A1VnpsNU5XOUlWRmRCTDNCRlpuVm1hbTQxY25Sa1NqSnBhMWRUZWpWRlltcDRUekpNTlRWWmNHZHlia3hDUXpka1ZuSXpiM2hyTUVoamJHcEZUV2REY1dscWJVNHJNRVU5TFMwd01DOW5RekpVYms1RFdqTkNieXQ1U0haRE1sRm5QVDA9LS1lODRlNGQ1MGZmMjc
    • https://secure-web.mail.magnetonics.com/XY2xkNmQyVnBjMk5IWTBSTVZGUnNVRWd2Tkdsd1EzcHlhMnRMTkhwbUt6ZDVhRlY2V0ZFNFJIZ3ZMMUJNWld4bk9HTXdXa2d5Wm1oTVdFVlVjMHRpY2xScVd
    • https://secure-web.mail.magnetonics.com/XY2xkNmQyVnBjMk5IWTBSTVZGUnNVRWd2Tkdsd1EzcHlhMnRMTkhwbUt6ZDVhRlY2V0ZFNFJIZ3ZMMUJNWld4bk9HTXdXa2d5Wm1oTVdFVlVjMHRpY2xScVdtVTRXVXBDYmtwRGQzSTBUSEZ2WVVVd1ZHRm1UWEJ
    • https://secure-web.mail.magnetonics.com/XZVhWNGRUUkZUV3hHVEROUFl6UnpOMlI1YkdKalEydENWVVpCWlhOSVRXcG9jM3A1VnpsNU5XOUlWRmR
    • https://secure-web.mail.magnetonics.com/XZVhWNGRUUkZUV3hHVEROUFl6UnpOMlI1YkdKalEydENWVVpCWlhOSVRXcG9jM3A1VnpsNU5XOUlWRmRCTDNCRlpuVm1hbTQxY25Sa1NqSnBhMWRUZWpWRlltcDRUekpNTlRWWmNHZHlia3hDUXpka1ZuSXpiM2h
    • http://Motobit.cz

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
49650dee6d71b08b08f18cc4083abb370952fd36b51b714aeb8d590f51dab364		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 7298 bytes
vbaProject_00.bin
b6fe3d6e46e9363fb127cb0315590f7dd4eb45c377d6b0e8caeaeabfa73c61f1		 vba-project OOXML VBA project: xl/vbaProject.bin 35840 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.