Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 89a726b219cb4a7a…

MALICIOUS

Office (OOXML) / .XLSX

2.07 MB Created: 2005-10-03 12:55:38 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-04-04
MD5: 355274d211b7dd7df761853029185e43 SHA-1: b685441e78a1674c788bc26df7036169b58add89 SHA-256: 89a726b219cb4a7af5357372dc28517f68696bb9faf9f1bb081382645a614900
130 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.002 Spearphishing with Other

The sample is an OOXML Excel file containing VBA macros, specifically a Workbook_Open macro, indicating malicious intent. The document body contains what appears to be inventory data, likely a lure to trick the user into interacting with the malicious content. Although the VBA code is heavily commented out, the presence of the Workbook_Open event and the overall structure suggest an attempt to execute further malicious actions upon opening. No specific malware family could be identified.

Heuristics 6

  • OOXML part with non-standard content type and high-entropy data high OOXML_BOGUS_CUSTOM_PART
    The package declares a part with an invented content type (not an OpenXML/Office/standard media type) holding large, high-entropy (likely encrypted/packed) data. Legitimate OOXML files do not carry opaque binary blobs under custom content types; this is the embedded next-stage payload pattern used by loaders such as SVCReady.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • External relationship medium OOXML_EXTERNAL_REL
    External target in xl/externalLinks/_rels/externalLink2.xml.rels: /personal/iharjant_its_jnj_com/Documents/Documents/JNJ 2022/CSA/ICO CKR/4/Kebutuhan ICO CSA Cengkareng MT_W1 Apr 2022_re
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 3 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.micr
    • http://schemas.microsoft.com7
    • http://schemas.microsoft
    • http://schemas.mic�x
    • http://schemas
    • http://schemas.microsoft.com/a�

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
68684d837c154d8019556ea252bd9cdb9d4100924fa5dac6ffb763f8bb82664a		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 29966 bytes
vbaProject_00.bin
b76e60953b31974c43a252f82c06e1aad26d955e843bc7b438335223776599af		 vba-project OOXML VBA project: xl/vbaProject.bin 118272 bytes
emf_00.emf
cb39bd01443afe2624e90c16e72b10dc07a8138192d2f74b60e301b9fcf262b2		 ooxml-emf OOXML EMF part: xl/media/image1.emf 122200 bytes
emf_01.emf
fb759fe91e01f0dd2ce88c9b7c7cb8ab46f8076ee72ec21095d7c1c1674dc1ff		 ooxml-emf OOXML EMF part: xl/media/image2.emf 22440 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.