Office (OOXML) / .XLSM malware analysis — malicious · 72fb812f2c50fa61

MALICIOUS

Office (OOXML) / .XLSM

30.2 KB Created: 2020-11-04 14:00:46 UTC Authoring application: 16.0300

MD5: ec719cb0e264d4a0e43bf15701e7cf35 SHA-1: 699a3f8a33922e9026d54aab708b745b5c1f2b0e SHA-256: 72fb812f2c50fa612578ce016ff47a5b477c23a9181397fab8628d881ca6c0c5

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.005 Visual Basic

The sample is an XLSM file containing obfuscated VBA macros. The critical heuristic 'OLE_VBA_ACTIVEX_XLM_STAGER' indicates that a VBA ActiveX event triggers the execution of decoded Excel4 macros via 'ExecuteExcel4Macro'. The VBA code appears to be designed to obfuscate and execute these Excel4 macros, which are likely responsible for downloading and executing a further stage.

Heuristics 2

VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `f5bba413bc13b8809d1514619cee6539855b53be62788a9f305e6bb8ad2265e1`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2094 bytes
`vbaProject_00.bin` `3c6369a3a6c5fa1c1be39002fee9c45e48e5920904ec5366e6e9f8dc3caf6cbe`	vba-project	OOXML VBA project: xl/vbaProject.bin	19968 bytes
`emf_00.emf` `8357e7f07f41a1e53a6ef35edda5f8d6ef14c676e025cb302cff4e47f3ae55a8`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	2024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.