Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 174bd33fbbb3fd21…

MALICIOUS

Office (OOXML) / .XLSM

65.0 KB Created: 2020-11-18 13:40:49 UTC Authoring application: 16.0300
MD5: bce2fcdd56bcfae5cd6c047e5056ad38 SHA-1: d550143fd56f81bfdb145b89f655ce4751e2b7e8 SHA-256: 174bd33fbbb3fd218efcf87f109fdb948a7b618ccd4b9ab4bee18cba09acaf85
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an XLSM file containing VBA macros. The critical heuristics indicate that these macros leverage ActiveX events to execute decoded Excel 4.0 macros. The VBA code in 'macros.bas' confirms this by using 'ExecuteExcel4Macro' to run obfuscated commands, likely to download and execute a secondary payload. The specific Excel 4.0 macro commands are heavily obfuscated within the document body and script, preventing a more precise analysis of the final payload.

Heuristics 3

  • VBA ActiveX event runs worksheet-decoded XLM formulas critical OLE_VBA_ACTIVEX_XLM_CELL_STAGER
    VBA code attached to an ActiveX/UserForm event reconstructs formula text from worksheet constants using Split/Replace/Mid or character shifting, then executes it through ExecuteExcel4Macro or Run. This is a high-confidence malware stager that hides XLM formula execution in sheet cells; it is not a document-parser CVE.
  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
876beb103e443059d32fb2ab129231d83d1fc25741f98c3bf8e6ae8f1052564e		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1148 bytes
vbaProject_00.bin
5fb332563513d8310edbdc36ab804c56a77c2f50aeec04f8ff3c1f55e342ec89		 vba-project OOXML VBA project: xl/vbaProject.bin 15360 bytes
emf_00.emf
18442f66fc184308368fb113b1c28494dce7331a052469405fcf94f2ee8085b5		 ooxml-emf OOXML EMF part: xl/media/image1.emf 2024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.