Office (OOXML) / .XLSM malware analysis — malicious · 433051c1004fd20d

MALICIOUS

Office (OOXML) / .XLSM

1.10 MB Created: 2021-07-02 03:16:37 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2025-07-27

MD5: 332625b8fe15d576db4f7b1b2ce6b5de SHA-1: 45d2cbca96c2dd67f56495d368a2ed874be968e6 SHA-256: 433051c1004fd20ded86d8d6cb11b5e8d01d7561febe168f121a8f835ac0db05

814 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File T1105 Ingress Tool Transfer

This macro-enabled Excel file (XLSM) contains a Workbook_Open macro that attempts to trick the user into enabling macros. Once enabled, it uses WScript.Shell and cmd.exe to download and execute a payload from a URL, likely establishing persistence via a Run key. The ClamAV detection 'Doc.Dropper.Agent-6412232-1' further confirms its malicious nature as a dropper.

Heuristics 22

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA
External relationship high OOXML_EXTERNAL_REL

External target in xl/externalLinks/_rels/externalLink1.xml.rels: file:///C:\Users\NVSSY_Home_Dell\Downloads\eTDS-zip_Sample\eTDS-zip_Sample.xlsm
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE

Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS

Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: https://support.microsoft.com/en-us/office/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6
Hidden worksheet (veryHidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 22 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://eportal.incometax.gov.in/iec/foservices/#/download-csi-file/tan-user-details
- https://downloads.stacos.com/TDS/TDS_Downloads/FVU/
- https://downloads.stacos.com/TDS/TDS_Downloads/FVU/TDS_FVU_2169.jar
- https://downloads.stacos.com/TDS/ETDS_XL/EULA_TDSXL.pdf
- https://downloads.stacos.com/TDS/ETDS_XL/ETDS-XL.zip
- https://incometaxindia.gov.in/Pages/tax-services/facilitation-centre-locator.aspx
- https://eportal.incometax.gov.in/iec/foservices/#/login
- https://www.tdscpc.gov.in/app/login.xhtml
- https://www.tdscpc.gov.in/app/ded/panverify.xhtml
- https://www.tdscpc.gov.in/app/logout.xhtml
- https://stacos.com/join/email?Name=
- https://tdsprime.com
- http://ns.attribution.com/ads/1.0/
- https://eportal.incometax.gov.in/iec/foservices/#/download-csi-file/tan-user-detailsA@�
- https://www.tdscpc.gov.in/app/ded/panverify.xh
- https://tdsprime.comA@�
- https://tdsprime.zendesk.com/hc/en-us/articles/29945212047769-How-to-Enable-the-Macros-in-eTDS-XL
- https://tdsprime.zendesk.com/hc/en-us/articles/21238007283865-How-to-Unblock-Macros-in-e-TDS-XL
- https://www.youtube.com/watch?v=2E_SQTUdPfo
- https://www.youtube.com/watch?v=5eEXeZMqItM
- https://support.microsoft.com/en-us/office/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6
- https://tdsprime.zendesk.com/hc/en-us/search?utf8=%E2%9C%93&query=%22
- https://api.whatsapp.com/send/?phone=919709123841&text=Hello%20Venkat
- https://forms.gle/YhYXuC7Qiy6JumuQ8
- https://tdsprime.zendesk.com/hc/en-us
- https://forms.gle/mxfpnyoJSDgJoCj87
- https://script.google.com/macros/s/AKfycbzgdsHGlLpxSeiN7kHNv0cca7BdEnnVAgPsqjvOa-Qi0MFdKdU/exec?software=eTDS-XL&rtype=caret
- https://script.google.com/macros/s/AKfycbzTXgzvzdbH0wSFPv5C92J2qzywYLUAY9SE0pYW-whbicSrlLDe/exec?tan_name=
- https://tdsprime.zendesk.com/hc/en-us/articles/360021163912
- https://www.youtube.com/channel/UCF1cmdYy04AS1VB6NWajI0A
- https://stacos2.pipedrive.com/scheduler/0RMOQ4hd/etds-xl-demo-and-queries
- https://razorpay.com/payment-button/pl_I3B076gfMwzZ80/view
- https://razorpay.com/payment-button/pl_I7IgbmmGr69VIa/view
- https://razorpay.com/payment-button/pl_I7IliRPgXDPYsn/view
- https://razorpay.com/payment-button/pl_I7IuJpxJmM0ySZ/view
- https://razorpay.com/payment-button/pl_I7IvkjlJr9HM0a/view
- https://razorpay.com/payment-button/pl_I7XFAFXjmJmq12/view
- https://razorpay.com/payment-button/pl_I7XHU3PljzXoMb/view
- http://ns.adobe.com/xap/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `ea6e40e43733e3cf36c1bcc22071739610d878eb3cf4d81e56831dbf8c64a18b`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	686447 bytes
`vbaProject_00.bin` `6c1994a24ddf30319cf226803994a097ad2a442ddf0861473107a22f7c80023b`	vba-project	OOXML VBA project: xl/vbaProject.bin	1925120 bytes
Detection ClamAV: Doc.Dropper.Agent-6412232-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.