Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 7e62bd36429598bd…

MALICIOUS

Office (OOXML) / .XLSM

606.4 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 51830661de8f8f0df5ad2f3a4d08dd07 SHA-1: 99f9ed52be97d0fac43706f5bc150e5e0e79ecf1 SHA-256: 7e62bd36429598bdd23020c500778dd7e8daa2374f451617dd141a2a43912e1b
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1566.002 Spearphishing Attachment

The sample is an XLSM file containing a Workbook_Open macro, indicating it's designed to execute code upon opening. The macro calls a function 'Detio' and then displays a user form, suggesting a downloader or initial execution stage. The presence of Excel 4.0 macro sheets and embedded URLs pointing to an IP address further supports this. The extracted Excel 4.0 macro sheets contain strings that appear to be commands for 'regsvr32' to execute a file named 'hast.ser' from a specific IP address, indicating a download and execution chain.

Heuristics 5

  • Excel 4.0 macro sheet (2 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • External relationship medium OOXML_EXTERNAL_REL
    External target in xl/externalLinks/_rels/externalLink1.bin.rels: IC-Office-Work-Schedule-Template16
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.iec.ch
    • http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/photoshop/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f35edebd65f2486e3f48c3f3aa064d03ff096f2bf9302d6865a1bbca8e954c8b		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3324 bytes
vbaProject_00.bin
e2b623b050c8dd3b617fa7a3cf0672cd40b5d6248ac15af0e3d3c7928cd515e1		 vba-project OOXML VBA project: xl/vbaProject.bin 20480 bytes
xlm_sheet_00.bin
ab6115cf0c85d0fbbc57b16373ec3177c2fd932c9dd4bbe00a97987876d7db4a		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 1213 bytes
xlm_sheet_01.bin
2054a4fe6328ca7eb2f39f156ed46ee14c6a1e5be94c807f0daa539bed9d9837		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin 756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.