Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 5786ca7e6e58a64b…

MALICIOUS

Office (OOXML) / .XLSM

13.7 KB Created: 2021-11-01 06:46:32 UTC Authoring application: Microsoft Excel 16.0300
MD5: 0201c407944be6efce97dc2d75d807aa SHA-1: e03fbe8e7fa60d38e105f90141c31af7c2919558 SHA-256: 5786ca7e6e58a64b9c71a65642df706d3fa75080bb68e816a2c4bc757941c9df
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an XLSM file containing a Workbook_Open macro. Upon opening, the macro displays a "Hacked !!!" message box and then attempts to open the benign URL https://youtube.com. While the URL is benign, the macro's behavior is deceptive and could be a precursor to more malicious activity in a different variant.

Heuristics 3

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://youtube.com

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d69230f5e83a87b5e9b2261c3917906770eb5b6f15a7e0fdb9b750592231af73		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 739 bytes
vbaProject_00.bin
c5f416340c8b76d956d62714c9c5355dd91910f09d5136b21bf61a16d5f25ba6		 vba-project OOXML VBA project: xl/vbaProject.bin 14848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.