Office (OOXML) / .XLSM malware analysis — malicious · 40e999a04221c8ef

MALICIOUS

Office (OOXML) / .XLSM

27.7 KB Created: 2020-11-11 14:39:23 UTC Authoring application: 16.0300

MD5: fbd8bb8b4bd71062a3a2eea2133c98db SHA-1: bc7828ff3acb709e2e53d436124556532fb02f4b SHA-256: 40e999a04221c8ef0b11ec1a5c4316a45c261c0a95f20d9cf144a53c0b35b697

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.005 Visual Basic

The critical heuristic 'OLE_VBA_ACTIVEX_XLM_STAGER' indicates that a VBA ActiveX event is used to launch a decoded Excel4 macro. This suggests the macro's primary purpose is to download and execute a second-stage payload. No specific family could be identified, and no direct IOCs like URLs or hashes were extracted from the document body.

Heuristics 2

VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

VBA code attached to an ActiveX/UserForm event decodes strings from worksheet cells through a Mid/Asc/Chr character-shift loop and passes the recovered formula text to ExecuteExcel4Macro. This is a high-confidence macro stager that bridges VBA event activation into XLM formula execution rather than a specific Office parser CVE.
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `ecc7343ec24293c54cabfb247223f1608ec3fe264ad2f3284d45c98000f666c1`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2226 bytes
`vbaProject_00.bin` `248dbd9dfcd593693d2a5a06815b95970f736c461fe73cb3dbb1565de3449669`	vba-project	OOXML VBA project: xl/vbaProject.bin	19968 bytes
`emf_00.emf` `53a88b00b3c0368a97f07e5705cf02259ed019efd03221a3f484b750c1f9742f`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	1408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.