Office (OOXML) / .XLSM malware analysis — malicious · 6675b97d5ccf26ad

MALICIOUS

Office (OOXML) / .XLSM

26.7 KB Created: 2020-11-09 12:10:54 UTC Authoring application: Microsoft Excel 16.0300

MD5: 78f485572bfb86b5533385ca958251ca SHA-1: 18b454829d6b5568e09ada1dec0c8466f4949499 SHA-256: 6675b97d5ccf26ad76872763828bf70c261441550da63d75324b72416d93657f

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The critical heuristic 'VBA ActiveX event launches decoded Excel4 macro' indicates that the sample is designed to execute embedded Excel 4.0 macros. The VBA code appears to decode a string and then likely execute it, which is a common technique for downloading and running further malicious content. The obfuscated document body content does not provide direct clues to the specific lure.

Heuristics 2

VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

VBA code attached to an ActiveX/UserForm event decodes strings from worksheet cells through a Mid/Asc/Chr character-shift loop and passes the recovered formula text to ExecuteExcel4Macro. This is a high-confidence macro stager that bridges VBA event activation into XLM formula execution rather than a specific Office parser CVE.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `49b498cd052a62a4ccb363eb2dcd418ee5af18c9c14512069989e330208f2d13`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1886 bytes
`vbaProject_00.bin` `a6e6fb96588303423f8a7fc68b7bfaa7602b406ae6fc8d8a6bf7bb80d191a2b3`	vba-project	OOXML VBA project: xl/vbaProject.bin	18432 bytes
`emf_00.emf` `53a88b00b3c0368a97f07e5705cf02259ed019efd03221a3f484b750c1f9742f`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	1408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.