Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 4d2431fa3f8f634d…

MALICIOUS

Office (OOXML) / .XLSM

37.9 KB Created: 2020-12-01 09:04:03 UTC Authoring application: 16.0300
MD5: 8199c073ac13d164cd9af0706ccf2c68 SHA-1: 7bce96a596224728f3d223e6b57ce7107f977140 SHA-256: 4d2431fa3f8f634d4ab3002b117eda343a910b9329e7a0745855eeed35f6ea58
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1566.002 Spearphishing with Malicious Attachment

The file is an XLSM document containing VBA macros. The critical heuristic 'OLE_VBA_ACTIVEX_XLM_CELL_STAGER' indicates that VBA ActiveX events are used to run worksheet-decoded XLM formulas. The VBA script 'macros.bas' contains functions like 'hopr' and 'documentoformato' which appear to be involved in decoding and executing Excel 4.0 macros. The 'gross' subroutine calls 'Run(hopr & "sione")', which likely executes the decoded XLM code. This mechanism is used to download and execute a second-stage payload, although the specific download URL is not directly present in the provided evidence.

Heuristics 5

  • VBA ActiveX event runs worksheet-decoded XLM formulas critical OLE_VBA_ACTIVEX_XLM_CELL_STAGER
    VBA code attached to an ActiveX/UserForm event reconstructs formula text from worksheet constants using Split/Replace/Mid or character shifting, then executes it through ExecuteExcel4Macro or Run. This is a high-confidence malware stager that hides XLM formula execution in sheet cells; it is not a document-parser CVE.
  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
5dd215fa73876d143c49f14bb905c325ce4aa0aa60dc061e6af5fce461854156		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1450 bytes
vbaProject_00.bin
30b2a958a84bad48e2c5fe49cbb5426df170eee33b35bf8ab39e36a19dfa10c1		 vba-project OOXML VBA project: xl/vbaProject.bin 16896 bytes
emf_00.emf
7b48e28257dd0d4b11a054d961f2bf9101d80f7f1e6895caeccec43b0808c36f		 ooxml-emf OOXML EMF part: xl/media/image1.emf 2352 bytes
xlm_sheet_00.xml
c77998eae21f87e28e77a0b0752a67d2a6486bd14af15ddec5704a6fbd8a0b74		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 815 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.