Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 20ff54eb54bdb826…

MALICIOUS

Office (OOXML) / .XLSM

52.8 KB Created: 2020-06-10 10:17:11 UTC Authoring application: Microsoft Excel 16.0300
MD5: 9a7eb000cfd52003caf97e666a49459d SHA-1: 9437e16fc3bc71a67fc8d3abdc35e94806e5085d SHA-256: 20ff54eb54bdb826df1b416a8c353a49723d9a36069aeaf516d2043bc41a6554
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1218.011 Signed Binary Proxy Execution: Rundll32

The sample is an XLSM file containing VBA macros. Heuristics indicate the use of Shell() and WScript.Shell, suggesting the execution of arbitrary commands. The presence of extracted files like macros.bas further supports this. The VBA macros likely download and execute a second-stage payload, a common technique for initial access or further system compromise. No specific family could be identified.

Heuristics 5

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a770ad8214d45a2307cffe40b6a241efeba85ebe106a09b9e6affc7d015310f0		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1249 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
vbaProject_00.bin
aba5d7d03e9e7c0076b338ab3a5c76d538052033133a214b8a6c3959d38dc945		 vba-project OOXML VBA project: xl/vbaProject.bin 17408 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
emf_00.emf
5b66e7534e104135fa70c6b280638c62a133c84f0339a0a2afc5e6b70f87eb44		 ooxml-emf OOXML EMF part: xl/media/image1.emf 2748 bytes
emf_01.emf
9b73180d3d78b176168c1ec139b787b8d7f583adab2e32295cb843135f15a303		 ooxml-emf OOXML EMF part: xl/media/image2.emf 2352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.