Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 3b63678e3e4027f8…

MALICIOUS

Office (OOXML) / .XLSM

100.1 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300
MD5: 4e28c4412345205a3bd30917155de6a8 SHA-1: 611d5cf6e58d03b542cc26c31bcadb89c03c4b12 SHA-256: 3b63678e3e4027f83805179a7630aaaced38991be42da263e237a630f56c93d4
190 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a Workbook_Open macro and an Excel 4.0 macro sheet, both of which are used to execute malicious code upon opening. The VBA script reconstructs commands to download and execute files using 'regsvr32.exe' from several suspicious IP addresses. The reconstructed commands include 'regsvr32 -silent ..\Popol.gors' and 'regsvr32.exe -e -n -i:0.123456789 ..\Popol.ocx3', indicating a downloader functionality.

Heuristics 6

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • ClamAV: Xls.Downloader.Docusign112101-9908076-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Docusign112101-9908076-0
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://190.14.37.89/
    • http://74.119.195.114/
    • http://212.6.44.229/
    • http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
3c3e714d9cd7fb9b9e788b237ef8495032fc0fb331e3cfb5d84c959aa88aa850		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2651 bytes
vbaProject_00.bin
438634a363cc6eaaf56e5e24b297454fb9cac2470c59c18edb28823c90a95331		 vba-project OOXML VBA project: xl/vbaProject.bin 12288 bytes
xlm_sheet_00.xml
e47a1bb05005baa6c77d44783526fc711a37f6dacba438304270e1475494804a		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 3426 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.