Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 58b38775f655498b…

MALICIOUS

Office (OOXML) / .XLSX

654.5 KB Created: 2025-03-03 14:02:33 UTC Authoring application: 16.0300
MD5: 100cd9d907e986ba8d5fc6d0488557d9 SHA-1: ca85284ea6ff1d453eaee43dd2c20f913ba4200c SHA-256: 58b38775f655498b134ce8cd52ab0aba05b710f7611e41cbdffdc3597c5d5f3d
208 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is an OOXML spreadsheet containing VBA macros, specifically a Workbook_Open macro that utilizes Shell() and CreateObject() calls. This indicates the macro is designed to execute arbitrary commands or download and run additional payloads. The document body text, while containing product information, includes a prompt to enable macros for correct display, serving as a social engineering lure. The presence of these elements strongly suggests a macro-based malware delivery mechanism.

Heuristics 7

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d56704a0146026398bb4e1272fedb44bba1d1bed2d686b7a89e79d70da13bbf2		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3212 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
43a4714a5dd2441e45a67ce84b9c1a79f91c3afd870656b1d562fc38f1f8bdd0		 vba-project OOXML VBA project: xl/vbaProject.bin 23552 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.