Office (OOXML) / .XLSM malware analysis — suspicious · 7473d0694daf4bd5

SUSPICIOUS

Office (OOXML) / .XLSM

93.3 KB Created: 2006-09-28 05:33:49 UTC Authoring application: Microsoft Excel 16.0300

MD5: f251d246ad0d63da7e12cd866afac0a2 SHA-1: 3fff954fb6dc4d620376618f91117a32ef14a244 SHA-256: 7473d0694daf4bd5e4a1197d52923233c5d2ed3f23092eb31e88d98ed4b310e5

40 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The XLSM file contains VBA macros, indicated by the OOXML_VBA heuristic. The `Workbook_BeforeClose` subroutine uses `CreateObject` to execute a downloaded payload. Specifically, it constructs a command to download a file from 'http://rredgh.org/reply.php' to 'c:\programdata\uegdsj.bat' and then executes it using 'rundll32.exe' with a DLL located at 'c:\programdata\kghowd.dll'. This indicates a downloader functionality.

Heuristics 3

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
Macro capabilities present but unconfirmed info MACRO_CAPABILITY_UNCORROBORATED

The document's VBA exposes execution capabilities (Shell/WScript/CreateObject/auto-exec) but nothing corroborates malicious intent — no obfuscation, memory-exec primitive, download+exec chain, encoded payload, LOLBin, DDE, AV hit, or suspicious URL. The verdict was capped at 'suspicious' so legitimate macro-heavy business documents are not flagged malicious on capability presence alone.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `7d0e4f9eca6c375569120ba330bb42201c662a984abfe1b1d91b52af7f27cd85`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	3513 bytes
`vbaProject_00.bin` `fb50a28ea042a3e8a2e24d3b6d97ef7ad80d86e05e1174dc5ef64b939a7d6c74`	vba-project	OOXML VBA project: xl/vbaProject.bin	26624 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.