Office (OOXML) / .XLSM malware analysis — malicious · 04ef2baa4a7456f5

MALICIOUS

Office (OOXML) / .XLSM

49.7 KB Created: 2020-10-14 12:21:49 UTC Authoring application: Microsoft Excel 16.0300

MD5: 7b02d6d887882e498786de5ff3d9e961 SHA-1: 35d8652ba58e2c387cadc1f76269aaf647a29121 SHA-256: 04ef2baa4a7456f572abb22af761e3a4e74c78133c74e4d1be8427ca36ed96ee

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an XLSM file containing VBA macros. The critical heuristic indicates that an ActiveX event launches a decoded Excel4 macro, which is used to execute a series of obfuscated URLs. These URLs are likely used to download and execute a second-stage payload, a common technique for malware distribution.

Heuristics 2

VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `8cff63167ca151ae6047c476dd35fb04dcd6ba89c39b02856ff0175b8754bd4d`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2120 bytes
`vbaProject_00.bin` `0b172b9f3c4210a68d25ab22c391a77cc1915b78ed85622e2d5ad2fba4d99eea`	vba-project	OOXML VBA project: xl/vbaProject.bin	20992 bytes
`emf_00.emf` `8357e7f07f41a1e53a6ef35edda5f8d6ef14c676e025cb302cff4e47f3ae55a8`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	2024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.