Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 00777c86e5853977…

MALICIOUS

Office (OOXML) / .XLSM

44.4 KB Created: 2020-10-28 12:03:20 UTC Authoring application: 16.0300
MD5: 56d32b6823bf5fd7d2360f423b62e9f2 SHA-1: cc45d98bea6687480fa5d35bbfafa3ca3b873304 SHA-256: 00777c86e585397754f0e73a927bcaa3e39a4948d9bb28e758f0f5bfdac1eef4
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The OOXML file contains VBA macros, specifically triggering the 'OLE_VBA_ACTIVEX_XLM_STAGER' heuristic, indicating an attempt to execute Excel 4.0 macros via an ActiveX event. The VBA code appears to be heavily obfuscated, using functions like 'undoo', 'parcel', 'bounds', 'affiliates', and 'tracking' to construct and execute commands. The script's ultimate goal seems to be to close the workbook after performing these actions, likely as part of a multi-stage attack to download and execute a further payload. The benign URLs present do not appear to be directly used in the malicious execution flow.

Heuristics 3

  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    VBA code attached to an auto-firing ActiveX/UserForm control event (e.g. _Layout/_Change/_Painted) decodes a string with Replace/Split/Join/StrReverse/Chr and passes the recovered formula text to ExecuteExcel4Macro. This bridges VBA event activation into XLM formula execution to call Win32 APIs / drop payloads while evading AutoOpen and Shell keyword detection — a high-confidence macro stager, not a specific Office parser CVE.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ff067053430286a2f87af54545324c7124237696ae63b0368d4291e50348c9ce		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1743 bytes
vbaProject_00.bin
eed1a2c783c9549a170e2b5465c98b7eb78de8ac27c9d561ecd6fc112bcbb383		 vba-project OOXML VBA project: xl/vbaProject.bin 17920 bytes
emf_00.emf
926f98c9bc6f3d8be4496629b147b6506d70b2ed08f0f61f95e02353c4f2dccb		 ooxml-emf OOXML EMF part: xl/media/image1.emf 2448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.