Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 40902a40b1d1abd6…

MALICIOUS

Office (OOXML) / .XLSX

20.5 KB Created: 2021-08-11 00:23:11 UTC Authoring application: Microsoft Excel 15.0300
MD5: 49be70c935e80f0e61debd1ca5b8f87f SHA-1: 6d6964955d1c4e620e79e48c69e292f18c2402a6 SHA-256: 40902a40b1d1abd6e6b7a2d4c463d454e92eaecb3a7518d046754ffd269f217a
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The presence of a Workbook_Open macro, along with critical firings for Shell() and WScript.Shell usage, strongly indicates that this XLSX file is designed to execute arbitrary code upon opening. The VBA script is heavily obfuscated and truncated, but the structure suggests it attempts to download and execute a secondary payload. Due to the obfuscation and lack of clear IOCs in the provided script excerpt, the exact family cannot be determined.

Heuristics 6

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b13a4e51139eae89a2b78fcaaaef0c8d9cea0531ee576dabd3a40095632ed9de		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 9012 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 8 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
0079f34d031729c6fdfe254f1ccdcb81ebffdc476df0ce42d20c9a891eb4e0b0		 vba-project OOXML VBA project: xl/vbaProject.bin 29696 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 8 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.