Office (OOXML) / .XLSX malware analysis — malicious · 65f82f5123eef3e4

MALICIOUS

Office (OOXML) / .XLSX

128.7 KB Created: 2020-11-01 21:21:38 UTC Authoring application: Microsoft Excel 16.0300

MD5: f2c6c4880d33d9c89b1903f7316445d8 SHA-1: 9d026cde5df1d7d8dbe807a015d21369e7812aa6 SHA-256: 65f82f5123eef3e40bd9d4ac26c69e85c4e87e70241b171030bf251e401568e9

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File: User Execution T1566.001 Spearphishing Attachment

The file is an Excel document containing a Workbook_Open VBA macro that calls the Shell function. This macro is designed to execute obfuscated code, which is then decrypted and run. The presence of the Shell() call and the Workbook_Open auto-execution heuristic strongly suggest the intent is to download and execute a second-stage payload, typical of a dropper malware.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
ClamAV: Xls.Dropper.Generic-9823786-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Generic-9823786-0
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `8396ace75402aec10b17f7dda6d209bd50cb4062cb3927d1a19c200075fe9164`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2252 bytes
`vbaProject_00.bin` `706f4646712f07bcb274773b849e32c2edaeb59289c2ab25130d31a84cb8a880`	vba-project	OOXML VBA project: xl/vbaProject.bin	14336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.