Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 6a2a695f1ae8118c…

MALICIOUS

Office (OOXML) / .XLSM

44.4 KB Created: 2020-10-28 10:11:18 UTC Authoring application: 16.0300
MD5: dec056d7fe2779d6c0a41714586d3e3e SHA-1: c289e8c5195b7f10f29ffa3aa761ed660d6917a6 SHA-256: 6a2a695f1ae8118cb54adc6a32a252eec505418246637c63577ca09d5c796834
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

This XLSM file contains VBA macros that leverage an ActiveX event to launch a decoded Excel4 macro. The script attempts to obfuscate its actions by splitting strings and using ExecuteExcel4Macro, indicating a downloader or initial execution stage. The specific payload or destination is not directly discernible from the provided script, leading to a lower confidence in family attribution.

Heuristics 3

  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    VBA code attached to an auto-firing ActiveX/UserForm control event (e.g. _Layout/_Change/_Painted) decodes a string with Replace/Split/Join/StrReverse/Chr and passes the recovered formula text to ExecuteExcel4Macro. This bridges VBA event activation into XLM formula execution to call Win32 APIs / drop payloads while evading AutoOpen and Shell keyword detection — a high-confidence macro stager, not a specific Office parser CVE.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
5c4734a75372bd0c102f2ac5cd5923e4742d5a9370c49b3d6c2875a78d45aa54		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1571 bytes
vbaProject_00.bin
ed068e773a89a44106f4b1e1672851ea2b00c6d2156fb1a9bc127f22a4825efb		 vba-project OOXML VBA project: xl/vbaProject.bin 19456 bytes
emf_00.emf
53a88b00b3c0368a97f07e5705cf02259ed019efd03221a3f484b750c1f9742f		 ooxml-emf OOXML EMF part: xl/media/image1.emf 1408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.