Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 5e926c47618c8934…

MALICIOUS

Office (OOXML) / .XLSM

445.0 KB Created: 2000-04-13 21:48:14 UTC Authoring application: Microsoft Excel 12.0000
MD5: bc1c04577fa34d329dc5c413a81ae36e SHA-1: 2d1e22782f2b90573e9b9af623fe2644f4265036 SHA-256: 5e926c47618c89349904b52f2f11fd27131188504f5c764bea8bfc620db9b390
248 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

This XLSM file contains an obfuscated VBA loader that executes upon opening the workbook. The script uses CreateObject to execute a command, likely involving mshta and a script file, based on the extracted document body content. The presence of a Workbook_Open macro and the critical heuristic for an obfuscated auto-exec loader indicate a malicious intent to execute arbitrary code.

Heuristics 7

  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
53f56ee06d9182299e599f74edbc2508e9e46c15e82f5ace00b7e6f70547239e		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1206 bytes
vbaProject_00.bin
5b9eef9488c7df931b9c3b417de372b51066f61fdab2b62974fb07090d3e7e48		 vba-project OOXML VBA project: xl/vbaProject.bin 9216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.