Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 190b2cdfa53eaab0…

MALICIOUS

Office (OOXML) / .XLSM

89.3 KB Created: 2001-12-21 16:06:12 UTC Authoring application: Microsoft Excel 12.0000
MD5: 6a27e232270583b5c1796cf988d79ee4 SHA-1: 94e9f16d09a2031ecd04631782875eb95109dba7 SHA-256: 190b2cdfa53eaab02c24d69923988103a84cd2862c6c9d70a18feebbb3f0bc64
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is an XLSM file containing a Workbook_Open macro that uses the Shell function to execute a payload. The macro constructs a path using the APPDATA environment variable and a string derived from cells, which is then executed. The presence of a fake invoice lure and the instruction to enable macros further indicate malicious intent. The script's obfuscated nature and reliance on cell values for constructing the payload path make precise IOC extraction difficult, but the execution of a second-stage payload via Shell is clear.

Heuristics 7

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
4618e4bd2e2dcb3172a3faf46f02781821ac0513b0be49c7c0c1511c62b020c1		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1961 bytes
vbaProject_00.bin
ca9f2dc306961f039b346fae98d79aa08a3a8f9147af74493e63b23d7f5d204d		 vba-project OOXML VBA project: xl/vbaProject.bin 13824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.