Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 072f024709b1356d…

MALICIOUS

Office (OOXML) / .XLSM

33.3 KB Created: 2020-06-09 06:09:59 UTC Authoring application: 16.0300
MD5: 73da1d8583f0670b375d964aad96d613 SHA-1: 36ac272fbaa5aad12d49ffebcd4aab87d45e4206 SHA-256: 072f024709b1356d2d131a90a630042d2c0592309a75d3882c1fb71bf5b449e4
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The XLSM file contains VBA macros that leverage ActiveX events to trigger the execution of Excel 4.0 macros via the ExecuteExcel4Macro function. This mechanism is used to download and execute a second-stage payload, as indicated by the ClamAV detection and critical heuristic firings.

Heuristics 4

  • VBA ActiveX event runs worksheet-decoded XLM formulas critical OLE_VBA_ACTIVEX_XLM_CELL_STAGER
    VBA code attached to an ActiveX/UserForm event reconstructs formula text from worksheet constants using Split/Replace/Mid or character shifting, then executes it through ExecuteExcel4Macro or Run. This is a high-confidence malware stager that hides XLM formula execution in sheet cells; it is not a document-parser CVE.
  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
  • ClamAV: Doc.Dropper.Agent-8012272-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-8012272-0
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
361bd2a95d1cd5ddc6b24b4dc37bbb03beda7a557d215d2c0de610d7c5898c00		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1523 bytes
vbaProject_00.bin
1a6d7851618ea4fc09b70312cc5a43ca2399db4944026873c4736f83a20d15c8		 vba-project OOXML VBA project: xl/vbaProject.bin 17920 bytes
emf_00.emf
8cd5911e059629ad27f3e6f7ffaa9947ac75b5a3a39d30ffeeceaf7ee9e8829d		 ooxml-emf OOXML EMF part: xl/media/image1.emf 3408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.