Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 17ca5282a27575f3…

MALICIOUS

Office (OOXML) / .XLSM

49.4 KB Created: 2020-02-01 18:28:07 UTC Authoring application: Microsoft Excel 12.0000
MD5: 0cfe3ca0687a10174b211d195c7ecf0e SHA-1: 90c8d6b8e5ff5ad04262230e8a5bf1bc16fcd68b SHA-256: 17ca5282a27575f35ead553cbdcd37944a18e8c6fc3a1a7c306d485a1689fe79
262 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is an XLSM document containing a VBA macro that is automatically executed upon opening (Auto_Open). The macro utilizes CreateObject, a common technique for launching malicious payloads. The presence of an embedded Equation Editor OLE object further suggests an exploit attempt. The VBA code is heavily obfuscated, but the overall pattern indicates a macro-based downloader designed to execute a second-stage payload.

Heuristics 8

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject3.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded Office object carries macros critical OFFICE_EMBEDDED_MACRO_OBJECT
    This document embeds a second Office file that itself contains a VBA macro project or an Excel 4.0 (XLM) macro sheet. Hiding a macro-bearing workbook or document inside another document — frequently under an obfuscated, non-standard part name — is a macro-smuggling technique that defeats scanners which only inspect the outer document's macro storage. No benign authoring workflow stages a hidden macro project this way.
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c453cdbeda1afe9eeb7762f99b79b4588195e3f7387b60644e25cb0df2b5a4c6		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 53746 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
ooxml_oleobject_00.bin
e23bd96cf6134f1323b9a80e2ebe0fad5c804dcab886a950823d3a7bc2e847f1		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 3584 bytes
ooxml_oleobject_00_ole10native_00.bin
ffc90c2d477626bde7fe23eae852efc723c60a263a8f31e487436bcf08b66c2e		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 1183 bytes
ooxml_oleobject_01.bin
17b660f9f07dd2ae6ab03094a95fadf7ed65581397a712e3c1c2607ba73f7f85		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject2.bin 12288 bytes
ooxml_oleobject_01_ole10native_00.bin
e0d5b3244553199f0178d3c66d51985c8464bf1e06c0d0e6902d64fc6e4b795f		 ole-package OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 9268 bytes
ooxml_oleobject_02.bin
7fd2f990e10ba06b1abbe4b4e06ac7b1a6910947b82df34e13a5c53b74471dc4		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject3.bin 5936 bytes
ooxml_oleobject_03.bin
b402f4b76964f3e8cad121ae43b6826e183cbea707de36226901a969284141ae		 ooxml-ole-object OOXML embedded OLE part: xl/vbaProject.bin 98304 bytes
emf_00.emf
979dde2aed02f077c16ae53546c6df9eed40e8386d6db6fc36aee9f966d2cb82		 ooxml-emf OOXML EMF part: xl/media/image1.emf 4968 bytes
emf_01.emf
4d4d1e7b04c99dcb8e885915068ad6f74cc2333e91580cdae5ccaa00c427247f		 ooxml-emf OOXML EMF part: xl/media/image2.emf 1536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.