Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 4ed663e832b90ad9…

MALICIOUS

Office (OOXML) / .XLSX

1.53 MB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-08-20
MD5: 25f3c31bfac1670838095f3d60c6c7a3 SHA-1: 7faf90be93c0d1e17f6150f74a754f9dae91cdee SHA-256: 4ed663e832b90ad92759bf2a0c1979529e35cb3f012a29e7887166b566620aee
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1059.001 PowerShell T1204.002 Malicious File

The file contains Excel 4.0 macro sheets and VBA macros, indicating a macro-based attack. The macro sheets contain a hardcoded path to a DLL file, 'C:\Hefaggad\Ukdfaovkga\Buuefafb.dll', which is likely a second-stage payload. The presence of an embedded OLE object further suggests a multi-stage infection process.

Heuristics 3

  • Excel 4.0 macro sheet (4 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
94c28cdf45d8f6732844f4a5890cdac5b324e19017d680ba2b31e281401fdfb1		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1836 bytes
ooxml_oleobject_00.bin
321c5fa59c7b673c0337d24ff2c9dda93585740fb807a1f9081a3f7a858d8a00		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 3554816 bytes
ooxml_oleobject_00_ole10native_00.bin
211c40f577a3009eb54615abba2aa2b5c46caa759b7adf2123fec30fc95354d1		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 3524516 bytes
vbaProject_00.bin
04f2ee846c1ce2d41a734f415abe85841992305d83d676313bb2f857108fbc74		 vba-project OOXML VBA project: xl/vbaProject.bin 14848 bytes
emf_00.emf
d32058856535c5a89a4d25f0f32b4220bc445f26dcdd9316250c0e527dabaa69		 ooxml-emf OOXML EMF part: xl/media/image1.emf 7049432 bytes
xlm_sheet_00.bin
acc0150b9e5338c3f43c1f9053670781a41a809f690efc08bab8b9500302a723		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 780 bytes
xlm_sheet_01.bin
dff0f82dc665e67439e960037bad474039b15161db4c0b42c42144be8e168727		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 683 bytes
xlm_sheet_02.bin
1c0d77af565ece9d4db59619ed3c835606535b60133f3f101d0cee56a6d5114c		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 788 bytes
xlm_sheet_03.bin
7b11b56b5a61d29a6947e9f608b5c7add7c03ca1056729169dd3d0d334e9479f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 965 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.