Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 4cfef357e3d0da92…

MALICIOUS

Office (OOXML) / .XLSX

41.1 KB
MD5: 101494c9c2dd0f194ae67a7c792fba8e SHA-1: 96dc2a305fb02a69049ff009e9807e7170f619ba SHA-256: 4cfef357e3d0da92542bc31e7377dcc2278015a67031080c7b73eca80ea6c010
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The presence of a Workbook_Open macro and a CreateObject call strongly suggests malicious intent. The VBA code itself appears to be a downloader or dropper, although it is truncated and obfuscated, making it difficult to determine the exact payload or destination. The macro's primary function seems to be executing other VBA subroutines, potentially to achieve its malicious objective.

Heuristics 5

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Malformed OOXML local headers contain vbaProject.bin — VBA macros present
  • Malformed OOXML package with recoverable local headers low OOXML_MALFORMED_ZIP_LOCAL_HEADERS
    The OOXML ZIP central directory is invalid or missing, but local file headers expose a recoverable Office package. This can create parser divergence between tolerant Office/ZIP readers and scanners that rely only on the central directory.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
vbaProject_00.bin
a1cfab5cf164e79d03c8f6a798c6ec7e5c9c51e57a8eff461f0931e0cd084d73		 vba-project Malformed OOXML local-header VBA project: xl/vbaProject.bin 37888 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
macros.bas
de7bcbc45ff0a77d05d9af662bacc316e71be11a980e94f6673e556a5dd9d1bc		 vba-macro oletools.olevba.extract_macros (decoded VBA source from malformed OOXML local headers) 12808 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.