Office (OOXML) / .XLSM malware analysis — malicious · 78ccf25ecee02f75

MALICIOUS

Office (OOXML) / .XLSM

29.0 KB Created: 2020-11-24 09:53:01 UTC Authoring application: Microsoft Excel 16.0300

MD5: f72f88ebdf048fdfedf0aa3e298d9e71 SHA-1: b8ea58415338bed65d4cd194ead6ac663ad71a6c SHA-256: 78ccf25ecee02f759cefa6b1c29a00fb4ce64c000f7b9c04c1fc08e04d04bc1b

150 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an XLSM file containing both VBA macros and Excel 4.0 (XLM) macros, indicating a multi-stage macro execution. The VBA script `PagamentoDocumento` appears to decode and execute XLM formulas, which is a known technique for obfuscating malicious code. The script also attempts to close the workbook after execution, suggesting it's a loader for a subsequent stage. The presence of hidden sheets and the use of ActiveX event handlers further support a malicious intent to conceal and execute code.

Heuristics 5

VBA ActiveX event runs worksheet-decoded XLM formulas critical OLE_VBA_ACTIVEX_XLM_CELL_STAGER

VBA code attached to an ActiveX/UserForm event reconstructs formula text from worksheet constants using Split/Replace/Mid or character shifting, then executes it through ExecuteExcel4Macro or Run. This is a high-confidence malware stager that hides XLM formula execution in sheet cells; it is not a document-parser CVE.
Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
- http://schemas.microsoft.com/office/excel/2006/main
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `8e10ea5536973c4a702b510d41cb58c99ef0bd40763c2a630b9956d5991c0c3d`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1370 bytes
`vbaProject_00.bin` `0769050157eef803c504a2b09520a42bd6a749147e1694533eea0571bf8c645b`	vba-project	OOXML VBA project: xl/vbaProject.bin	13824 bytes
`emf_00.emf` `76f287b1e3251b7e0e5ba27bfb05b35831150cc665de00f9fd2d807e2d2a028d`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	1976 bytes
`xlm_sheet_00.xml` `7b123f25444cc6671f38ba962c4145783eefcdaabc27d46dafaacfb645e74c5f`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.xml	865 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.