Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 2615407d5043e350…

MALICIOUS

Office (OOXML) / .XLSX

332.1 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 15.0300
MD5: e3893a8b21f9226a48ec0e10d5c3f414 SHA-1: 562ab34b82a3d27e1dd7add4f4411080d09529b7 SHA-256: 2615407d5043e350ef6e9dfbeb44573c937e6588447f691d743ee79ffabffd99
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The critical ClamAV detections indicate this Excel file is malicious, specifically identified as 'Xls.Malware.Chartres-7641208-0'. The presence of VBA macros, indicated by the 'OOXML_VBA' heuristic and the 'macros.bas' embedded artifact, along with 'CreateObject' and 'CallByName' calls, strongly suggests that the macros are intended to execute malicious code. This code likely downloads and executes a secondary payload, a common technique for initial access and further system compromise.

Heuristics 6

  • ClamAV: Xls.Malware.Chartres-7641208-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Chartres-7641208-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8c6472b8c563cc168f35ec4fd70824264234077b046e2683cd092f26c55f3c2d		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4970 bytes
vbaProject_00.bin
fd8fb3e11d99a6d6859132438636b7ee4b065c4d122fed6cf9ef09a8efb31949		 vba-project OOXML VBA project: xl/vbaProject.bin 385536 bytes
Detection
ClamAV: Xls.Malware.Chartres-7641208-0
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
emf_00.emf
6bcb3082080cafb063cdc7430906163da0eee6ce1da785125bdefd247830a232		 ooxml-emf OOXML EMF part: xl/media/image3.emf 1599124 bytes
emf_01.emf
bc052645292cfd971f0dc001c8145481812bb839ec8dc4544a1453d12b01cd03		 ooxml-emf OOXML EMF part: xl/media/image2.emf 4680 bytes
emf_02.emf
2342c7f40807fe0899c57d21b7eb0dcce86a2c680a665e271545dc5e449226f2		 ooxml-emf OOXML EMF part: xl/media/image1.emf 1360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.