Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 48606d03613bc6c3…

MALICIOUS

Office (OOXML) / .XLSM

318.1 KB Created: 2020-10-09 07:39:53 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2025-06-04
MD5: 66ea2c0492af99cf24c3b7d9eea3515f SHA-1: 0d781dab58c876d1fb21b0892725183b819a94d9 SHA-256: 48606d03613bc6c344704a8a8b2e2fabb03ad8632bc01216784973991959d7cb
86 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1059.005 Visual Basic

The sample is an XLSM file containing VBA macros, indicated by the OOXML_VBA heuristic. The document body and the OOXML_DOWNLOAD_SHAPE heuristic suggest a lure, possibly related to advance-fee scams or grant applications, to trick users into enabling macros. The presence of hidden worksheets and the OOXML_EXTERNAL_HYPERLINKS heuristic further support the malicious intent. While no direct download URL or execution script was found, the overall structure and heuristics strongly indicate a macro-enabled document designed to download and execute a malicious payload.

Heuristics 6

  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: https://ec.europa.eu/info/funding-tenders/opportunities/docs/2021-2027/common/guidance/aga_en.pdf
  • Hidden worksheet (veryHidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 11 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Call-to-action shape / download button low OOXML_DOWNLOAD_SHAPE
    Document drawing contains a call-to-action phrase ('Click Here', 'Download Now', etc.) inside a shape or text box — a common visual lure used to trick users into enabling macros or visiting a malicious URL
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ec.europa.eu/info/funding-tenders/opportunities/docs/2021-2027/common/guidance/aga_en.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a1915b14de5c049687d10e7671f729c0130eb5eb34913bea13d6f975f2163e4d		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 120753 bytes
vbaProject_00.bin
0e08023420c4674cfdf1dc09e4ef3cd30c0715b809efbc52231a00941e6fc864		 vba-project OOXML VBA project: xl/vbaProject.bin 457216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.