Office (OOXML) / .XLSX malware analysis — malicious · 144e827b4306ea5a

MALICIOUS

Office (OOXML) / .XLSX

29.6 KB Created: 2020-09-22 07:36:46 UTC Authoring application: Microsoft Excel 16.0300

MD5: b0dbfca06e5802356fe6560763a456ad SHA-1: d8fa5f958d21b340df8c6ddafb315040c4bc0cd7 SHA-256: 144e827b4306ea5a2b92b6c751ba6b9c3f016ce55dd7497f04650d1cab07e2f2

260 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

This XLSX file contains VBA macros that leverage ActiveX events to execute obfuscated Excel 4.0 macros. The script `macros.bas` contains a function `picolas` which calls `ExecuteExcel4Macro` with a string constructed from constants and character manipulations. This pattern is commonly used to download and execute further malicious content. The ClamAV detection further confirms its malicious nature.

Heuristics 5

VBA ActiveX event runs worksheet-decoded XLM formulas critical OLE_VBA_ACTIVEX_XLM_CELL_STAGER

VBA code attached to an ActiveX/UserForm event reconstructs formula text from worksheet constants using Split/Replace/Mid or character shifting, then executes it through ExecuteExcel4Macro or Run. This is a high-confidence malware stager that hides XLM formula execution in sheet cells; it is not a document-parser CVE.
VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
ClamAV: Xls.Malware.Mrhl-9774585-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Mrhl-9774585-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `165c43708aa80c9c9112c0fd156565042506fba3024ce0bccffeb0adcf230f53`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1368 bytes
`vbaProject_00.bin` `62d9eccb10905179c9603e4a40aac05e5b84661c0a00dac16f06a4507adc13b7`	vba-project	OOXML VBA project: xl/vbaProject.bin	16896 bytes
Detection ClamAV: Xls.Malware.Mrhl-9774585-0 Obfuscation or payload: unlikely
`emf_00.emf` `50abcb00719c61b78c5bbdc4312ee8a19e77b56a68945f68db89c6160e20eb9c`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	1408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.