Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 2dee29cc743e174d…

MALICIOUS

Office (OOXML) / .XLSM

167.0 KB Created: 2021-03-22 13:12:12 UTC Authoring application: Microsoft Excel 15.0300
MD5: c5ae752392f3804ed45503d8208cbfe7 SHA-1: 8b2ec9c2f7abf6e2ed0f85169291dc4642a0b539 SHA-256: 2dee29cc743e174db618ce4b038758729f19c5ff5d774054382cbe8387e3e952
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell

The presence of a Workbook_Open macro indicates that the malicious code will execute automatically upon opening the Excel document. The GetObject call suggests an attempt to interact with system objects, potentially to download and execute a secondary payload or establish persistence. The embedded VBA code is likely responsible for these actions, leading to a malicious outcome.

Heuristics 3

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
3355cce494f5c14263fd338439704d2173d6e596e7eee23169ceb0dc17af1993		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 9129 bytes
vbaProject_00.bin
cc2b643d783ae731045ae76ef254a5584808498f61e66d8a3f2e7d8cd00834a9		 vba-project OOXML VBA project: xl/vbaProject.bin 60416 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.