Office (OOXML) / .XLSM malware analysis — malicious · 0d2ce5b6530a0fef

MALICIOUS

Office (OOXML) / .XLSM

44.1 KB Created: 2020-10-05 12:30:00 UTC Authoring application: Microsoft Excel 16.0300

MD5: 2aa71ba2cd17a5f65c732bcacf1b3659 SHA-1: 93c570de448296c1edb1bd6fb66f69fe05e9aeb5 SHA-256: 0d2ce5b6530a0fefbffb231b37c6895bfe7057f48aa0d26f33d45b453eaa70f3

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The critical heuristic 'VBA ActiveX event launches decoded Excel4 macro' indicates that the sample is designed to execute embedded Excel4 macros. The VBA script decodes a list of URLs and uses ExecuteExcel4Macro to download and execute payloads from them. The decoded URLs point to various domains hosting potentially malicious content.

Heuristics 2

VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `20faef74492259a1cac9164b7d6a5adf5d3a0c394e3bead996bfb8deaf786380`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1824 bytes
`vbaProject_00.bin` `0ebcd76f3206cc0654aa83af18da4b7fbb9c818cb54defffe41d1b7308eadb5f`	vba-project	OOXML VBA project: xl/vbaProject.bin	17920 bytes
`emf_00.emf` `a3bbc1d0170f191b05ec0d278f3abdf794c973cce4a2e21c43d1132f55b01e07`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	9596 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.