Office (OOXML) / .XLSM malware analysis — malicious · 8b01aa62a3b8ee34

MALICIOUS

Office (OOXML) / .XLSM

3.28 MB Created: 2022-09-09 13:53:01 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-09-11

MD5: 92f461daa7e4133a201fc69a1d3479a5 SHA-1: 6008dfba2ca8d4c292c8cb9d1d45833a68bd2b6d SHA-256: 8b01aa62a3b8ee347dfd39eaed1a8828280569105b703dd3f5b1f133bbea954b

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1218.011 Signed Binary Proxy Execution: Rundll32

The OOXML file contains VBA macros, indicated by the 'OOXML_VBA' heuristic. The 'OLE_VBA_CALLBYNAME' heuristic and the presence of obfuscated API calls in the VBA script suggest the macro is designed to execute arbitrary code. The script attempts to load libraries and call functions, likely to download and execute a second-stage payload, but the exact mechanism is obscured.

Heuristics 3

OOXML part with non-standard content type and high-entropy data high OOXML_BOGUS_CUSTOM_PART

The package declares a part with an invented content type (not an OpenXML/Office/standard media type) holding large, high-entropy (likely encrypted/packed) data. Legitimate OOXML files do not carry opaque binary blobs under custom content types; this is the embedded next-stage payload pattern used by loaders such as SVCReady.
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `de3afa80c35f0ba17562b9753e42e7dd2677847103fa19bf451bd607b8576627`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	14011 bytes
`vbaProject_00.bin` `7e21e401643d7a8fb098970e58785c102b859c314ac4978d924d263b1cf6d96e`	vba-project	OOXML VBA project: xl/vbaProject.bin	58880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.