Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 440b16adc385f603…

MALICIOUS

Office (OOXML) / .XLSM

70.6 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2025-12-23
MD5: fba4c8c07c3dff793e709b2bac8015cd SHA-1: 61e344bbb4e9e74dd1e9d420599b16a193bbc944 SHA-256: 440b16adc385f603aaa8fa1d4d867f491cb89e7c1d484a7c5879a3ad0af99b3d
382 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1105 Ingress Tool Transfer

The Workbook_Open macro in the Excel file automatically executes VBA code. This code uses WScript.Shell and CreateObject to download a PowerShell script from http://77.83.39.207/RAY/Y1.ps1 to C:\Temp\Y1.ps1 and then executes it. This indicates a downloader or initial access stage.

Heuristics 9

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://77.83.39.207/RAY/Y1.ps1

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c9eeb415209b4beecf5b4198cd3ea150ebc71bb496997077e88e21bbfed489ba		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2710 bytes
vbaProject_00.bin
f9f305728d2fca504cc323840f259261b2fa043e7801f5f15ae6d2b9eef4e46b		 vba-project OOXML VBA project: xl/vbaProject.bin 19968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.