Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 03be29062bd33925…

MALICIOUS

Office (OOXML) / .XLSM

29.1 KB Created: 2020-11-04 11:23:48 UTC Authoring application: Microsoft Excel 16.0300
MD5: 70df936fcdad643b23d26e65b204729c SHA-1: 44cf4e9a0f55d93452246940a7777b34ddad76a2 SHA-256: 03be29062bd339255e85043aef396362bd9dec61623c4653d4836af9bd72bb98
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The critical heuristics indicate that the sample leverages VBA ActiveX events to execute obfuscated Excel 4.0 macros. The VBA code contains functions that appear to decode and execute these macros, with the ultimate goal of running a secondary payload. The `ExecuteExcel4Macro` function is a key indicator of this behavior.

Heuristics 3

  • VBA ActiveX event runs worksheet-decoded XLM formulas critical OLE_VBA_ACTIVEX_XLM_CELL_STAGER
    VBA code attached to an ActiveX/UserForm event reconstructs formula text from worksheet constants using Split/Replace/Mid or character shifting, then executes it through ExecuteExcel4Macro or Run. This is a high-confidence malware stager that hides XLM formula execution in sheet cells; it is not a document-parser CVE.
  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b807bf235fff90dcfdc0cbc2658d52b1569216c26ed3046dac250b6e2c33f905		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2200 bytes
vbaProject_00.bin
d1d87ec547d6bd5210a3e20fd547a51050b65435e6d2933fb1b6a560a039d92f		 vba-project OOXML VBA project: xl/vbaProject.bin 19968 bytes
emf_00.emf
3f657b8f455dba6a1f1e82394aca0218fe2d2d5fbdbc7037e0ea790beb66a76c		 ooxml-emf OOXML EMF part: xl/media/image1.emf 2352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.