Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 5d4fdf219371a9d8…

MALICIOUS

Office (OOXML) / .XLSM

51.9 KB Created: 2020-11-23 14:09:10 UTC Authoring application: Microsoft Excel 16.0300
MD5: 583fcbda6de9764fc9d5d2c21856a3ce SHA-1: 53b2b1303a2dd6c1f7ad7a5ea9de2838e79380d9 SHA-256: 5d4fdf219371a9d83d31b7e21cd1103b309f124e36dc1a4790e052efe760990f
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.005 Visual Basic T1203 Exploitation for Client Execution

This XLSM file contains VBA macros that leverage ActiveX events to decode and execute Excel 4.0 macros. The script `signedd` reconstructs and executes commands using `ExecuteExcel4Macro`, indicating an attempt to run arbitrary code. The specific technique involves using worksheet-decoded XLM formulas and an ActiveX event to launch the macro, suggesting a downloader or initial execution stage.

Heuristics 3

  • VBA ActiveX event runs worksheet-decoded XLM formulas critical OLE_VBA_ACTIVEX_XLM_CELL_STAGER
    VBA code attached to an ActiveX/UserForm event reconstructs formula text from worksheet constants using Split/Replace/Mid or character shifting, then executes it through ExecuteExcel4Macro or Run. This is a high-confidence malware stager that hides XLM formula execution in sheet cells; it is not a document-parser CVE.
  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
200b0c041ba41718e3b74eafcfd518bf38b36f2ebe7ccd513c2850e75ea5d840		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1169 bytes
vbaProject_00.bin
26d3b11589bc4d436322a9909ef19c1e24544ff699ad5f50a1493f60713776eb		 vba-project OOXML VBA project: xl/vbaProject.bin 27648 bytes
emf_00.emf
4609916d8bdbc79e29612828ccd046cae14d7ddc0bfea0db84520ad5f180a00d		 ooxml-emf OOXML EMF part: xl/media/image1.emf 1408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.