Office (OOXML) / .XLSM static analysis report

Static analysis result for SHA-256 7a7399f081d0da74…

SUSPICIOUS

Office (OOXML) / .XLSM

244.3 KB Created: 2018-09-11 02:17:54 UTC Authoring application: Microsoft Excel Online 16.0300 First seen: 2026-02-23
MD5: 61121b532ae8e8229ec2fcc7fbeb8eea SHA-1: f4f3883cc2da33cdf08910b4ec90b5f239c2a26f SHA-256: 7a7399f081d0da7477aa5c5308cd901885cb64655bc293d52496a504481ba584
40 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The presence of VBA macros, specifically the use of `CreateObject`, indicates an attempt to execute code within the document. The macro code appears to be designed to fetch data from external URLs, including one with an 'unknown' reputation, and process it. This suggests the macro's purpose is to download and execute a second-stage payload, likely for malicious purposes such as information theft or further system compromise.

Heuristics 5

  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: https://amzn.to/3gcBed7
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.profiletraders.in/blog
    • https://amzn.to/3gcBed7
    • https://www1.nseindia.com//live_market/dynaContent/live_watch/get_quote/getHistoricalData.jsp?symbol=
    • https://finance.yahoo.com/quote/
    • https://www1.nseindia.com/live_market/dynaContent/live_watch/equities_stock_watch.htm
    • https://www.nseindia.com/market-data/live-equity-market
    • https://www.nseindia.com/market-data/live-equity-market?symbol=NIFTY%2050
    • https://www.nseindia.com/market-data/live-equity-market?symbol=NIFTY%20200
    • https://www.nseindia.com/market-data/live-equity-market?symbol=NIFTY%20MIDCAP%20150
    • https://www.nseindia.com/market-data/live-equity-market?symbol=NIFTY%20MIDSMALLCAP%20400
    • https://www.nseindia.com/market-data/live-equity-market?symbol=NIFTY%20SMALLCAP%20250
    • https://gocharting.com/terminal?ticker=NSE
  • Macro capabilities present but unconfirmed info MACRO_CAPABILITY_UNCORROBORATED
    The document's VBA exposes execution capabilities (Shell/WScript/CreateObject/auto-exec) but nothing corroborates malicious intent — no obfuscation, memory-exec primitive, download+exec chain, encoded payload, LOLBin, DDE, AV hit, or suspicious URL. The verdict was capped at 'suspicious' so legitimate macro-heavy business documents are not flagged malicious on capability presence alone.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b24aa82ae225af80d5c7d089e11e64f88f159d091a81b96a63b8d8bdc48c9e95		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34643 bytes
vbaProject_00.bin
781181ab8a2c44b43b09848a2b3cf06e1c1b2097e7c456bca84bd3bb65bb5dce		 vba-project OOXML VBA project: xl/vbaProject.bin 95232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.