Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 525dca66603ba937…

MALICIOUS

Office (OOXML) / .XLSM

36.5 KB Created: 2025-03-06 20:16:00 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2025-03-11
MD5: 7928d4da38767e17b693dc1c3b12376b SHA-1: b357c6211bbf9b463553d5137aac957fbd9b0868 SHA-256: 525dca66603ba93785836da140e8bf75d86a71ce828d30797171a3989e1dee51
330 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1059.003 Windows Command Shell T1204.002 Malicious File

This macro-enabled Excel document (XLSM) uses a Workbook_Open macro to prompt the user to 'Enable Editing', a common social engineering tactic. Upon enabling, it likely executes a second-stage payload via WScript.Shell and a Shell() call, as indicated by critical heuristic firings. The embedded URL 'https://tursiian.com/7z.txt' is highly suspicious and is likely used to download the actual malware.

Heuristics 9

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://tursiian.com/7z.txt
    • https://f004.backblazeb2.com/file/mdocument/PO202502DAKE.zip

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
5012bf98bd11f04906ada35703385af166180395f61ded9583d11d623a301dd9		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 10244 bytes
vbaProject_00.bin
e5d114bc3e7ac0d4d01c1237715cdb3260e2a7fea3503589ef01d33df25a7de0		 vba-project OOXML VBA project: xl/vbaProject.bin 60928 bytes
emf_00.emf
53501607bf3e7b021e195b59d97145b9d1928593f2893b80d0ae645afc3e3936		 ooxml-emf OOXML EMF part: xl/media/image1.emf 2744 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.