Office (OOXML) / .XLSX malware analysis — suspicious · 75fc8c0d30fd0d48

SUSPICIOUS

Office (OOXML) / .XLSX

50.9 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300

MD5: b844fc7eb421f58398e77d4d5f8e72e6 SHA-1: 99ad75664af398c29d6ce8728ec85ca837daf975 SHA-256: 75fc8c0d30fd0d486fe39cb39b5ebfc4f2858a65dcdde6c23c6ce70310030958

40 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is an Excel document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' indicates the use of the Shell() function, which is commonly used to execute arbitrary commands. The VBA script attempts to bypass PowerShell execution policy and download a payload from the reconstructed URL 'http://limitededitionphotos.nl/wp-includes/ID3/zzz.txt'. This suggests the document is a downloader for a second-stage payload.

Heuristics 3

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
Macro capabilities present but unconfirmed info MACRO_CAPABILITY_UNCORROBORATED

The document's VBA exposes execution capabilities (Shell/WScript/CreateObject/auto-exec) but nothing corroborates malicious intent — no obfuscation, memory-exec primitive, download+exec chain, encoded payload, LOLBin, DDE, AV hit, or suspicious URL. The verdict was capped at 'suspicious' so legitimate macro-heavy business documents are not flagged malicious on capability presence alone.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `7a233a1261510f520e332fdcfae49e2c85f893f9dcc9c0ee8adddeacf6cd9cb2`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2236 bytes
`vbaProject_00.bin` `0d193243ffd979de9e31cb1e91a116f8909dbcb1400d2d8f27b92b58e26be3f5`	vba-project	OOXML VBA project: xl/vbaProject.bin	12288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.