Office (OOXML) / .XLSM malware analysis — malicious · 41397cf8d749283f

MALICIOUS

Office (OOXML) / .XLSM

43.0 KB Created: 2020-10-21 11:36:42 UTC Authoring application: Microsoft Excel 16.0300

MD5: 5f55d6977147567bc30604591317e196 SHA-1: f24f6828cd2fc0883d540b4169b6d83fcf3906b2 SHA-256: 41397cf8d749283f47e142da6926847189c9834f236639fd613805a7d43a7a64

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The critical heuristic 'OLE_VBA_ACTIVEX_XLM_STAGER' indicates that a VBA ActiveX event triggers an Excel 4.0 macro. The extracted VBA script confirms this, using the `ExecuteExcel4Macro` function. The script also contains obfuscated strings that, when decoded, reveal a list of URLs. The primary intent appears to be downloading and executing a second-stage payload from these URLs.

Heuristics 2

VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `f9d056474dc34c78812feb1bce69bad0111ba77bf6a1b26167d619c6ba20192d`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1643 bytes
`vbaProject_00.bin` `ca4f03539d720376cff3831aeee3d143355df0bee93b0374f5e09ced1331defc`	vba-project	OOXML VBA project: xl/vbaProject.bin	17408 bytes
`emf_00.emf` `54be04b40284510a9e12889d686dbefd074a529e13e1fbcb1043381efd91f26f`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	9596 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.