Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 0d69d5a2417168af…

MALICIOUS

Office (OOXML) / .XLSM

438.1 KB Created: 2026-01-08 23:46:48 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2026-01-09
MD5: 9231d1267c70db2cf431bcd9532f4166 SHA-1: 31eb0e23834cf22a49d7403033907135b19293ad SHA-256: 0d69d5a2417168afaa14f50be8c518379f2bd7bdb9861c227c810732ce44f9db
390 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

This XLSM file contains an Auto_Open VBA macro that attempts to execute a payload. The macro references PowerShell and uses CreateObject, indicating it's designed to download and run a second-stage executable. The embedded VBA code also attempts to create a persistence mechanism via the Run key, specifically targeting 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy', and writes to 'C:\Users\Public\Documents\update.log' and potentially executes 'C:\Users\Public\Documents\update.exe'. The document body explicitly instructs the user to 'Enable Content', a common lure for macro-based malware.

Heuristics 12

  • OOXML Ole10Native with payload/link indicators — possible CVE-2026-21514 high CVE likely CVE_2026_21514
    Office document contains embedded OLE (xl/embeddings/oleObject1.bin) with Ole10Native plus executable, PE, or risky remote-link indicators. This is a likely CVE-2026-21514 exploitation shape.
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1a80a91e2beabebd746c0064d840d4e0c918c695c51c6d59e38279ddff818531		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 17986 bytes
ooxml_oleobject_00.bin
946f6e3740b6ef6b1b60d6846106d3c344004dfc6f4449de20e4aceb81c5f3c5		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 712192 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.52, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00.bin
469a118471823de22f32b701d2905c009363f301d64c4bc2b44de5fc039703bf		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 705064 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.55, consistent with packed or encrypted content.
vbaProject_00.bin
b4af8305c5e9da8629f52d1872854d73aa4e5a4b4b29dc9510e09b2ea12a365a		 vba-project OOXML VBA project: xl/vbaProject.bin 38400 bytes
emf_00.emf
47b36d4917a574120d2728674abc24e9796871c1fc19eca067ce81eca3058888		 ooxml-emf OOXML EMF part: xl/media/image1.emf 4988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.