Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 4050bae8f9dee7b5…

MALICIOUS

Office (OOXML) / .XLSX

399.3 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 15.0300
MD5: ccb04564445edc260cdb5ab2821ffacc SHA-1: 87535e654e04d5327b00cac78ce82c848dd3c1c7 SHA-256: 4050bae8f9dee7b537e89b6ca6cc14dc7a5cb9788acf72ea77370827cdea1a1f
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

This OOXML file contains VBA macros, indicated by the 'OOXML_VBA' heuristic. The presence of 'CreateObject' and 'CallByName' calls suggests the macros are designed to execute arbitrary code. While no specific URLs or scripts were directly extracted and readable, the overall structure and heuristic firings strongly indicate a macro-based downloader. The document body consists of numerical data, offering no contextual clues for the lure.

Heuristics 4

  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e9c9675fa54f653cfbfd6c2493068cea008e4c1582b1f9b126dc9031cfcb2d7f		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4547 bytes
vbaProject_00.bin
577537b6664a90bc679b2fada9955b027a5c760e056baa368322dbb5a407963a		 vba-project OOXML VBA project: xl/vbaProject.bin 376320 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
emf_00.emf
f09a6085fba9555df367d7e508b8046ab94f10ca116f20d3bb00d053165a1aca		 ooxml-emf OOXML EMF part: xl/media/image5.emf 6120 bytes
emf_01.emf
ca8c1b66bf8910055e225b7ecff7ccc20488b2b590a6a3d6bc14a64446925aa4		 ooxml-emf OOXML EMF part: xl/media/image3.emf 1519908 bytes
emf_02.emf
562ba51223f48587374a706e8a119e4352309cff50f463b56c328fba0ea7efd5		 ooxml-emf OOXML EMF part: xl/media/image4.emf 1272 bytes
emf_03.emf
4c3a575a6c721bcc51a030160a9e4484881c13251db2f177984792f43e522511		 ooxml-emf OOXML EMF part: xl/media/image2.emf 1792 bytes
emf_04.emf
02fdb931131c70cc0b5c8919f60260c18b6ebc4aa76d1911481955c9b08c926a		 ooxml-emf OOXML EMF part: xl/media/image6.emf 1272 bytes
emf_05.emf
899a8b9510bba2026243b62b2f48c7a41ec34ebe56d4f3fa2fc718a3e409ae4c		 ooxml-emf OOXML EMF part: xl/media/image1.emf 1272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.