Office (OOXML) / .XLSM malware analysis — malicious · 70f4880e3e8bc39c

MALICIOUS

Office (OOXML) / .XLSM

599.6 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 16.0300

MD5: 91c98edf08b506f54a2e9de0a9da57c1 SHA-1: 1e5611f5caac62e07b9697034259282de96b6e60 SHA-256: 70f4880e3e8bc39c1e1a69827590ea775626e110ad1a307cee3bbee63eead05b

230 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The file is an XLSM document containing VBA macros, as indicated by multiple heuristic firings including OLE_VBA_CREATEOBJ and OLE_VBA_CALLBYNAME. The VBA code attempts to construct a JavaScript file path and execute it, suggesting it acts as a downloader for a second-stage payload. The ClamAV detection further confirms its malicious nature.

Heuristics 7

ClamAV: Xls.Dropper.Generic-9765465-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Generic-9765465-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
External hyperlinks (4) low OOXML_EXTERNAL_HYPERLINKS

Document contains 4 external hyperlinks — clickable URLs are stored as external relationships. First target: https://www.quora.com/profile/Alok-Jha-43
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.micr
- http://schemas
- https://www.quora.com/profile/Alok-Jha-43

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `81c5d81e4281db8b8b5d5ad38e9ebf7df1152976cfba7c046c230e77581622d2`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	4538 bytes
`vbaProject_00.bin` `d3e7eb1932d0840d9a80c15f619c72e2f05a0c71716d0ba74b9be0610299b97b`	vba-project	OOXML VBA project: xl/vbaProject.bin	686080 bytes
Detection ClamAV: Xls.Dropper.Generic-9765465-0 Obfuscation or payload: unlikely
`emf_00.emf` `0295c5e4bea86a8a79ab50edfaa4d774e2d02df6ff818f54392499799e047686`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	1842004 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.