Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 41d6782f58aa7961…

MALICIOUS

Office (OOXML) / .XLSM

1.58 MB Created: 2026-02-06 16:32:06 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2026-02-09
MD5: 3ad9122de21051149185068569541594 SHA-1: dec0419a780af710147ce6d89ea6bd60e39317d8 SHA-256: 41d6782f58aa79616ce21b1815f388f76a56d0b98a7db22190b11ccb7ebb7be6
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information

The sample is an XLSM file containing a Workbook_Open macro. This macro triggers a user form named 'Giris' which prompts for student details like name, school number, and scores. The presence of the Workbook_Open event and the user form suggests an attempt to interact with the user, potentially for credential harvesting or social engineering. No malicious URLs or further payloads were identified in the provided evidence.

Heuristics 3

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://privateca-content-688aa673-0000-2a86-a87a-088bc873570a.storage.googleapis.com/b4fb604825ecc5c3ce6b/crl.crl0
    • http://c2pa-ocsp.pki.goog/04
    • http://pki.goog/c2pa/media-1p-ica-g3.crt0
    • http://pki.goog/c2pa/root-g3.crt0&
    • http://c2pa-ocsp.pki.goog/0
    • http://pki.goog/c2pa/core-tsa-ica-g3.crt0
    • http://cv.iptc.org/newscodes/digitalsourcetype/trainedAlgorithmicMedia�factionkc2pa.editedkdescriptionx(Applied
    • http://cv.iptc.org/newscodes/digitalsourcetype/trainedAlgorithmicMedia
    • http://cv.iptc.org/newscodes/digitalsourcetype/trainedAlgorithmicMediajparameters�kingredients��curlx-self#jumbf=c2pa.assertions/c2pa.ingredient.v3dhashX

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
bfe50332a230d626158af0d6f0adad0c12eebb8bfddd3f10676f16304ec7a78b		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6383 bytes
vbaProject_00.bin
e70158763b6d68df2915bfb9e0ccec6e77284c1fe76f5de71428013b2e0bd56f		 vba-project OOXML VBA project: xl/vbaProject.bin 1728000 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.