Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 52003481c7245905…

MALICIOUS

Office (OOXML) / .XLSM

53.3 KB Created: 2021-05-04 09:08:36 UTC Authoring application: 16.0300
MD5: 24875ad63104608b4b396051b2b69660 SHA-1: 407a60266d08747def593476907f45d97c4889a9 SHA-256: 52003481c7245905ceaa859b54ffb76ecfeae91491f9741b5ea3c16a1db80989
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1059.001 PowerShell

The sample is an XLSM file containing VBA macros and an Excel 4.0 macro sheet. The presence of these elements, along with a hidden worksheet, strongly suggests malicious intent. The Excel 4.0 macros are capable of executing arbitrary code, which is often used to download and run further malicious content. No specific URLs or hashes were extracted, limiting the IOCs.

Heuristics 4

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 2 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
eb166f3d8049fc4770c8234cbc3f56fda4336d3c5d092ede14bb4a6edbdbba57		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2231 bytes
vbaProject_00.bin
965c591b44fb6119ce7e5fc6d6d8efebb6a6641ca6c8be95feae61132d3afbd2		 vba-project OOXML VBA project: xl/vbaProject.bin 22016 bytes
xlm_sheet_00.xml
072af9fbd9f9534b24954d6d0574557e1d16bd3cfe6bbda5f616ddbd78f72cc8		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 836 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.