Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 0d3868984e704ebf…

MALICIOUS

Office (OOXML)

1012.3 KB Created: 2010-02-04 07:20:56 UTC Authoring application: Microsoft Excel 16.0300
MD5: 6aaf039da15be9bd2c50dd47297e5434 SHA-1: a30dece7354440ca5b7db9e84c3c0ef30567fee0 SHA-256: 0d3868984e704ebf52d2987b854ca937e66ffba6e0c2a62ca8e4cb996b2988ec
68 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The OOXML file contains VBA macros and an external relationship pointing to a remote XLS file, indicating an attempt to execute code from an untrusted source. The presence of hidden worksheets further suggests an effort to conceal malicious activity. The VBA code appears to interact with an external add-in ('DuthauGXD.xla'), likely to download and execute a secondary payload.

Heuristics 3

  • External relationship high OOXML_EXTERNAL_REL
    External target in xl/externalLinks/_rels/externalLink1.xml.rels: file:///\\Nu2ng\Nu2nG\Nu2nG\NISSAN BSD Tender\NISSAN BSD PI\BQ_TIMAHR1.xls
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 31 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
dfc3a4ba57e301ecfb6348949bcea8a927040637c5848694bf7aba88369e143d		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 25860 bytes
vbaProject_00.bin
c68c4cabbaacdd1c1886fdbf0d2da84ee755904b0933074e9368487d48cc25b2		 vba-project OOXML VBA project: xl/vbaProject.bin 111616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.