Office (OOXML) / .XLSM malware analysis — malicious · 0e1da51d4cbaf0aa

MALICIOUS

Office (OOXML) / .XLSM

43.0 KB Created: 2020-10-05 11:43:10 UTC Authoring application: Microsoft Excel 16.0300

MD5: fe5b73e8aa625d5f1d6ea78962ce7c3e SHA-1: f3746ee139fc28391b41b4c081edefa650ba9819 SHA-256: 0e1da51d4cbaf0aa055a6157c727f7961e1f2d04ed5f85f104738bc8d83756bd

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The critical heuristic indicates that a VBA ActiveX event triggers decoded Excel4 macros, which is a common stager technique. The VBA script contains obfuscated strings that, when decoded, reveal multiple URLs. These URLs are likely used to download and execute a second-stage payload, as suggested by the presence of multiple text, image, and archive file extensions.

Heuristics 2

VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `b5fd8bb742d95e7513c1217605a880d80b598b0b96aff7cc8511425d91881d08`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1868 bytes
`vbaProject_00.bin` `0649b0f6e4602563703e118d8eda5c334a3996dc68163a2da715d2cdb49e9b12`	vba-project	OOXML VBA project: xl/vbaProject.bin	17920 bytes
`emf_00.emf` `53a88b00b3c0368a97f07e5705cf02259ed019efd03221a3f484b750c1f9742f`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	1408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.