Office (OOXML) / .XLSM malware analysis — malicious · 22521e7ca8f9b394

MALICIOUS

Office (OOXML) / .XLSM

144.4 KB Created: 2020-12-29 00:10:07 UTC Authoring application: Microsoft Excel 15.0300

MD5: bdde006375815629a7da771787794f77 SHA-1: cead3e7ea6079651ecb3535b6f6b376b5dc9c898 SHA-256: 22521e7ca8f9b3944f1b9a6e623d24f5a30f1f0315b81424dfda59def6cf7343

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter

The critical heuristic firing for a Shell() call in VBA, combined with the presence of a Workbook_Open macro, indicates that this XLSM file is designed to execute arbitrary commands upon opening. The VBA macros are the primary mechanism for this execution, likely downloading and running a secondary payload.

Heuristics 4

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `b049fd404e468fb2ea3b70edad305ff1742a28e0940d6eb070b0d431522d6a21`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	3526 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`vbaProject_00.bin` `b55be76586e02dc8cc04581f61532f66276e452dd3dbfa959b493e7766d30a2c`	vba-project	OOXML VBA project: xl/vbaProject.bin	17408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.