Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 fae64a003ce75b93…

MALICIOUS

Office (OOXML) / .XLSM

70.9 KB Created: 2020-01-28 19:47:00 UTC Authoring application: Microsoft Excel 16.0300
MD5: eef4ccde0956d39a28c79911924cf59a SHA-1: c972bffdec6b019b220a2381e131da4b2a080112 SHA-256: fae64a003ce75b937882f17da3d38f2f1a4c3546b504c983d88b0ba3250fb22c
110 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The XLSM file contains VBA macros that instruct the user to enable content, masquerading as an Excel tour. Upon enabling, the `Prefix0` subroutine is executed, which constructs and runs a batch file named 'Uusajwtsndq.bat'. This batch file, in turn, uses PowerShell to download a file named 'Modzimo.pif' from 'http://stubhost.online/fold/Modzimo.pif' and saves it to 'C:\Users\Public\Modzimo.pif'. The PowerShell command also attempts to execute the downloaded file.

Heuristics 5

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • External hyperlinks (3) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 3 external hyperlinks — clickable URLs are stored as external relationships. First target: http://go.microsoft.com/fwlink/?LinkId=846286
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://go.microsoft.com/fwlink/?LinkId=846286
    • http://go.microsoft.com/fwlink/?LinkId=844969

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
feeda91c062bd1084fa5fe9423663f98af8b8091c89b6cf5a995d41f58632e18		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2673 bytes
vbaProject_00.bin
7a5193157ac5fffa2ea61515ed7aae3f257c00d82f53b0958a4c985271a2b92a		 vba-project OOXML VBA project: xl/vbaProject.bin 20992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.