Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 fb3980d5c6bc616d…

MALICIOUS

Office (OOXML) / .XLSM

252.2 KB Created: 2021-04-12 15:31:58 UTC Authoring application: Microsoft Excel 15.0300
MD5: 38b75824d3dba0e92d48260468ba4609 SHA-1: abbf9426797c5e0bd37bb962e4d2d80fbc8128d7 SHA-256: fb3980d5c6bc616daaa12221221e38c74f098d28bd666fe9b2251758ff017d6c
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.002 Spearphishing Attachment

The file is an XLSM document containing VBA macros, with a Workbook_Open macro detected. The VBA code likely uses CreateObject to execute malicious actions, potentially downloading and running a second-stage payload from one of the provided URLs. The obfuscated VBA strings and auto-execution terms further indicate malicious intent.

Heuristics 6

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://automanic.tdejob.work/hqimpLV9qAByF.php
    • https://demodoctor.tdejob.work/Dr-Trina-Karmakar/css/KtPya1rG.php
    • https://cloud365office.com/backup/wp-includes/Text/Diff/Engine/c3sRfLmzlqKpetN.php
    • https://rockin1000.com.br/code/img/SocialMedia/IThiDYMU.php
    • https://shivajischools.com/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/0iY0E7xuFGxn.php
    • https://ricardobig.com/wp-includes/js/tinymce/plugins/charmap/5OaQPTnDxYX.php
    • https://standard.techfreestore.com/KJStyqxJw.php
    • https://opticahealthvision.com/wp-includes/js/tinymce/themes/inlite/6oc5yCaQGY0zv.php
    • https://populusdei.co.ke/3od7mTyOyF.php

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
74b4b0bbda1a1c1372e7928b5e432e9861810ce8b9781d9f6871a455a3714962		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 72266 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 20 Chr/ChrW string-construction calls. Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
4ac5909d4ee28311a0f0cc5b656a3aa1a17d15d2f079faf73dad0285091215dd		 vba-project OOXML VBA project: xl/vbaProject.bin 210944 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.