Office (OOXML) / .XLSX malware analysis — malicious · 512430bfade7ca44

MALICIOUS

Office (OOXML) / .XLSX

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300

MD5: a67c49ca00bd6f930452bf8a4e7d7d07 SHA-1: 268d8f1405d6928d7c9e5d80eee81c815e7e03b3 SHA-256: 512430bfade7ca44a15523c02462a169ca0f7db8915235e7858817eac516f007

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell

This XLSX file contains VBA macros that reference PowerShell and cmd.exe. The GetObject call and the presence of a base64 decoding function suggest that the macro is designed to decode and execute a payload. The primary function of the script appears to be downloading and executing a second-stage payload, although the specific download URL is not directly visible in the provided script excerpt.

Heuristics 5

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA
GetObject call high OLE_VBA_GETOBJ

GetObject call
cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `ebbaf9e6891f3edf06223c7a21a425bf98ec339c76706abf02bdf7587e45ec4b`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	34430 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 shell/COM execution token(s).
`vbaProject_00.bin` `3e93a8858c95d52627f9f921fa2c03a8c5240ef6d5504ec7baa6e129755c95c1`	vba-project	OOXML VBA project: xl/vbaProject.bin	11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.