Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 506c998caedc0ad9…

MALICIOUS

Office (OOXML) / .XLSX

2.96 MB Created: 2010-11-30 10:03:37 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2023-10-05
MD5: 3f51df3c9c6f41af7f4a8a6f71ba2e3e SHA-1: 6dcee965371a9900e8b0a59582ee18cfc11991b4 SHA-256: 506c998caedc0ad9b9a0ed9ccee3aa45342116bae1983baf674da5d80bc2cde3
104 Risk Score

Heuristics 5

  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • ClamAV scan did not complete info CLAMAV_SCAN_INCOMPLETE
    ClamAV scan on this file did not complete (ClamAV error (exit -15)); the verdict reflects only static heuristics. The result is not cached so a later submission will retry the scan.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b7448786625adbb06d1e5ac160794fa43c14f8c859933c7a46977ead1d63d4af		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3542147 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
vbaProject_00.bin
58294aa06129868cb6570b33de138af4bd823653d02cc5efe948a33d9a4429fa		 vba-project OOXML VBA project: xl/vbaProject.bin 7089152 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.