Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 8243d4138835db46…

MALICIOUS

Office (OOXML) / .XLSM

72.6 KB Created: 2021-02-17 14:32:38 UTC Authoring application: 16.0300
MD5: d22a7e87a13baeb583c870e2d40798fc SHA-1: 9c673526cbba244d992898e6088a6cb17c5588f7 SHA-256: 8243d4138835db46bef1051fd0b396a110968deb97078b07fbd6ab60b6cc3bc3
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The file is an XLSM document containing Excel 4.0 macros, which are known to be used for malicious purposes. The macros utilize the `URLDownloadToFileA` function from `urlmon.dll` to download a second-stage payload from a remote URL. The presence of dangerous XLM formula APIs like `RETURN` further indicates the intent to execute arbitrary code. The specific URL for the payload download is obfuscated within the macro code.

Heuristics 6

  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Dangerous XLM formula APIs: RETURN critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 4 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e07ee623ec6e793a7c2d3ec0264f86d5b4bc20e56ddf038d3723364e65eb27ee		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4066 bytes
vbaProject_00.bin
2db1c353fb7c5d1ac6dc84e9034b198af3c7377f6a92c962b465245265a81600		 vba-project OOXML VBA project: xl/vbaProject.bin 26624 bytes
xlm_sheet_00.xml
230fdc63c0aebc81d640e0b441fcb7c17402e532c6ee025d19981054bddbf55a		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.