Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 17ac604572c5b05f…

MALICIOUS

Office (OOXML) / .XLSX

32.0 KB
MD5: 1ee286ca84584b774f3989da802e5795 SHA-1: fab513e61704313d592a2f5d772db22916553567 SHA-256: 17ac604572c5b05fa41a831be3492a54cb2be5c5868cbdc3ce975d501b2222c7
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel spreadsheet containing a Workbook_Open VBA macro. This macro is designed to present a deceptive input box to the user, disguised as a calculation prompt. The macro then uses a loop to repeatedly ask the user for input, suggesting a social engineering tactic to extract information or engage the user in a malicious process. The presence of the Workbook_Open event and the deceptive user interaction strongly indicate a phishing or social engineering attack vector.

Heuristics 6

  • ClamAV: Doc.Malware.Valyria-10004384-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-10004384-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Malformed OOXML local headers contain vbaProject.bin — VBA macros present
  • Malformed OOXML package with recoverable local headers low OOXML_MALFORMED_ZIP_LOCAL_HEADERS
    The OOXML ZIP central directory is invalid or missing, but local file headers expose a recoverable Office package. This can create parser divergence between tolerant Office/ZIP readers and scanners that rely only on the central directory.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
vbaProject_00.bin
986721543932c6af40930656d1a40375168fd60cd64ec54ecdd1521f2b4653ac		 vba-project Malformed OOXML local-header VBA project: xl/vbaProject.bin 37888 bytes
Detection
ClamAV: Doc.Malware.Valyria-10004384-0
Obfuscation or payload: unlikely
macros.bas
527d0656a0c2c323955d068683ef8f7e20c035cda247a1e24383595c0eb3403b		 vba-macro oletools.olevba.extract_macros (decoded VBA source from malformed OOXML local headers) 7821 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.