Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 4cedaa22118c9bca…

MALICIOUS

Office (OOXML) / .XLSM

147.3 KB Created: 2021-02-23 01:42:22 UTC Authoring application: Microsoft Excel 16.0300
MD5: e8e0a2921ac880e78ee3397932a6da73 SHA-1: 7d5afd9e691cedb7ebe31bb87a32e8dfda7ccb72 SHA-256: 4cedaa22118c9bca2d63edb74a43cc292100d253dab2cd23240cc4e8cc567b92
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell

This XLSM file contains a Workbook_Open macro, a common technique for executing malicious code upon opening the document. The critical heuristic firing indicates the use of the Shell() function, which allows the macro to run arbitrary commands. While no specific family is identified, the presence of a Workbook_Open macro and Shell() execution strongly suggests a downloader or initial execution stage for further malicious activity.

Heuristics 5

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
91e24024c670827f961a5bc181e3ece34045009e29f92e765293636f8378b87c		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 37942 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
53bb244c524f90c0e27af34bc894d8a659eceb7cf7cc920b2d47f6037692c066		 vba-project OOXML VBA project: xl/vbaProject.bin 44032 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.