Office (OOXML) / .XLSM malware analysis — malicious · 3b0674528185c192

MALICIOUS

Office (OOXML) / .XLSM

144.4 KB Created: 2020-12-28 01:20:28 UTC Authoring application: Microsoft Excel 15.0300

MD5: f23dfd7542e484ee84eb75b7b869821f SHA-1: d002c4b85e44efa4fe20574f8962c2b3c799add6 SHA-256: 3b0674528185c1927af4b44cb1a04cac22137140ba78e74095e816b25d2fca97

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter

The file is an XLSM document containing VBA macros. The Workbook_Open macro is present and triggers a Shell() call, indicating an attempt to execute arbitrary code. This suggests the document is designed to download and run a secondary payload upon opening.

Heuristics 4

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `8a570aed9f70efa5ff013c63a3abfb02bc1df13875e6b9eb5ba7a4c4a44d3adb`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	3549 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`vbaProject_00.bin` `cbc9523ad7258c5a1bf8cf118826efa20764ab93b917514ab94a4a9f44fcd994`	vba-project	OOXML VBA project: xl/vbaProject.bin	17408 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.