Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 49319aa12fecc977…

MALICIOUS

Office (OOXML) / .XLSM

828.8 KB Created: 2020-05-15 20:59:55 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2024-08-17
MD5: 92bfd796e3a08874635d3b61cd81a8e1 SHA-1: c23979a782d5246f7f37227180eff52471381c02 SHA-256: 49319aa12fecc9778335607c1613dbc46747339659d58e01c0ef6e22960caf6f
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.005 Visual Basic T1059.001 PowerShell T1140 Deobfuscate/Decode Files or Information T1204.002 Malicious File

The OOXML file contains a Workbook_Open macro, indicating that malicious VBA code executes automatically when the document is opened. The document body contains invoice-related text, suggesting a lure to trick users into enabling macros. The VBA code likely attempts to download and execute a second-stage payload, as indicated by the presence of VBA macros and the 'CreateObject' call.

Heuristics 6

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 5 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
5c6069be6a3fe1fb0a8f93368dfb4f26bdec0788e45ff49242823c12189b53d7		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 122290 bytes
vbaProject_00.bin
38318e8331ca7553e90b4af0a0c0e639d2c1bc72c5d376d1c3239ca7621d1882		 vba-project OOXML VBA project: xl/vbaProject.bin 310272 bytes
emf_00.emf
d05fccd02b489f5ace27b368b989b78b76d96083c913d4077afb5f11b69ce968		 ooxml-emf OOXML EMF part: xl/media/image6.emf 2768 bytes
emf_01.emf
00a96a36f3088bf467fd8eea0b09015856b028e135f88f42ec672cb94d6d2b23		 ooxml-emf OOXML EMF part: xl/media/image7.emf 2796 bytes
emf_02.emf
739b905c5daa1ee62b3e57124fd09616d73727da6541c11d98745aa31a42d440		 ooxml-emf OOXML EMF part: xl/media/image8.emf 2688 bytes
emf_03.emf
95e99eae2cf7480409115a62913c05e647383e83e1dcc15f14f7f21ba8730517		 ooxml-emf OOXML EMF part: xl/media/image9.emf 2744 bytes
emf_04.emf
1a0ebd1fe0d6e12e9f30fede6be6e52fef7050b16cd7a8ec57c7fbc5b401e32f		 ooxml-emf OOXML EMF part: xl/media/image10.emf 2744 bytes
emf_05.emf
7d543594def86c03a267b25dcda9c7e338f1a629013f68070919abcfa509c2c7		 ooxml-emf OOXML EMF part: xl/media/image11.emf 2768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.