Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 01acc8de9efab9e6…

MALICIOUS

Office (OOXML) / .XLSM

23.3 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-02-18
MD5: 0c98897eb19294dfb23e687b80823fa9 SHA-1: 5619ac513943fd3473604136a00fc67becdb1906 SHA-256: 01acc8de9efab9e6124a91a9215cf275aa9c3b8e138eaa47dc8c81313fd8ef56
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

This macro-enabled Excel file (XLSM) contains VBA code that is designed to format financial transaction data and write it to a local file. The heuristic 'OLE_VBA_CREATEOBJ' indicates the use of CreateObject, common in malicious macros. The 'OOXML_DOWNLOAD_SHAPE' heuristic suggests a visual lure to trick users into enabling macros. The VBA script constructs a local file path 'C:\finacleupload\' for writing data, indicating a potential staging area for further malicious activity.

Heuristics 3

  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Call-to-action shape / download button low OOXML_DOWNLOAD_SHAPE
    Document drawing contains a call-to-action phrase ('Click Here', 'Download Now', etc.) inside a shape or text box — a common visual lure used to trick users into enabling macros or visiting a malicious URL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a40b7f3fe210c74c473b19f9f6c3bb2eae8dc29deef73ec6c47cff2eba68bd45		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4622 bytes
vbaProject_00.bin
2ab929c3df0d3b68f9af1871e045821625cf2b9d5913c3d5ed13b240687aa547		 vba-project OOXML VBA project: xl/vbaProject.bin 25088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.