Malicious Office (OOXML) / .XLS — malware analysis report

Static analysis result for SHA-256 26b8ea7bb37f273a…

MALICIOUS

Office (OOXML) / .XLS

5.11 MB Created: 2024-11-25 19:53:43 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2026-03-07
MD5: 0fc9f35147e37b38345b8d80d093205e SHA-1: 0dd719c3546487b467bdc10e92d48c2d29664dc6 SHA-256: 26b8ea7bb37f273ac6d64b175fcf3f97c247a4f6f89b3dd77c279acbf443867f
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The file contains a Workbook_Open macro that utilizes Shell.Application and FileSystemObject to copy itself and potentially execute a second-stage payload. The macro attempts to create a directory under the user's profile and save a file named 'tivmirsa virdga.scr'. The presence of a Workbook_Open macro, Shell() calls, and CreateObject() calls strongly suggests a malicious intent to download and execute further malware.

Heuristics 7

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
9f0e11d1e60782c0b4fd55d8267d969a8e6f49ca9bbb33ac58ed70f9ce42b620		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 5043 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ooxml_oleobject_00.bin
a9f9504efecb63ca97c06bf6aa362d558af5b8e9243f2d5bd0b6c36ec8d2fef6		 ooxml-ole-object OOXML embedded OLE part: xl\embeddings/oleObject2.bin 96571 bytes
ooxml_oleobject_01.bin
ba16ba0809819fd896b9509b190994591dc96f1e99fab9f4c078bc081bc03e78		 ooxml-ole-object OOXML embedded OLE part: xl\embeddings/oleObject1.bin 10297 bytes
ooxml_oleobject_02.bin
74d674bf10944d6195f7e13626c8e1c43a4876c9c1dc60ddbd38aad98b47f296		 ooxml-ole-object OOXML embedded OLE part: xl\embeddings/oleObject3.bin 5233687 bytes
vbaProject_00.bin
5be6a145181bb9b9205586b0af16ece8f738801fbbb512c236945725e86e0f0f		 vba-project OOXML VBA project: xl/vbaProject.bin 16384 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.