Office (OOXML) / .XLSM malware analysis — malicious · 8047a023b8d2521d

MALICIOUS

Office (OOXML) / .XLSM

14.8 KB Created: 2020-06-05 06:51:47 UTC Authoring application: Microsoft Excel 16.0300

MD5: f947cb678ad7751e8ec0cf3c2d317b04 SHA-1: 1907fe1b59c90e5b63188446c1f7c1d1061ef653 SHA-256: 8047a023b8d2521d7075ef9040741ced3f673f170bbb0c7283b2f38ce1fb731a

322 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1218.011 System Binary Proxy Execution: Rundll32

The sample contains a Workbook_Open macro, a common technique for auto-execution. The VBA code is obfuscated and uses a split string literal to reassemble the 'winmgmts' keyword, which is then used with GetObject to launch a process via WMI. This indicates an attempt to execute arbitrary code or download a second-stage payload.

Heuristics 8

VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
- http://schemas.microsoft.com/office/excel/2006/main
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
- http://schemas.microsoft.com/office/spreadsheetml/2014/revision
- http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `dfcb1a706fb5e3de902f2676fc18dc6aa2c44bbed88df7f2c35085e3d2b99ae2`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	3445 bytes
`vbaProject_00.bin` `bd6bdec3f2db4577444954dc5a22b01f976c9407011283a38fb0867a2dc9cecd`	vba-project	OOXML VBA project: xl/vbaProject.bin	13312 bytes
`xlm_sheet_00.xml` `eacbd2c16b1ed3ce2fa1ad4f022b52c62067227ea482f87db161ee25e58ecb67`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.xml	1199 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.