Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 2134fd37c725045e…

MALICIOUS

Office (OOXML) / .XLSX

45.5 KB Created: 2021-07-03 05:32:11 UTC Authoring application: Microsoft Excel 15.0300
MD5: 82424a0b96ac5b556b93b46432422ff8 SHA-1: 49b69135f5fd6e59ae61a49106220fb7c5df7d4c SHA-256: 2134fd37c725045eda3f016dc0da56c82b9d35a03a5ea4cedc15415c66eb0259
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 Command and Scripting Interpreter T1071.001 Application Layer Command Execution T1566.001 Phishing T1087 Macro Cobalt

The file's primary mechanism for execution is the `Workbook_Open` macro, which triggers a series of obfuscated operations. The `olybycrcfpdhumifczpp` function call, combined with the string manipulation, strongly suggests a download and execution of a secondary payload. The presence of VBA project files and the use of COM objects (like WScript.Shell) further support this assessment. The macro's behavior is highly obfuscated, making it difficult to determine the exact payload without further analysis. The overall pattern aligns with macro-based malware delivery.

Heuristics 4

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e2423993e12d111681cfba421a8710c45c7c8bdee4eb4a4e88a8e555a3a549e4		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 5608 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
5c008c923826edd6cd02d2e1de621ac4785feb6980c60999e329b941258374a3		 vba-project OOXML VBA project: xl/vbaProject.bin 22016 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.