Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 8ba3fe03f29ff301…

MALICIOUS

Office (OOXML) / .XLSX

212.8 KB Created: 2000-04-13 21:48:14 UTC Authoring application: Microsoft Excel 12.0000
MD5: 182d476186264acb99c5e937e7873464 SHA-1: 7222842af82fff5402e657ac00d535b3d6da0851 SHA-256: 8ba3fe03f29ff301d2664a6d24cbe2ab96d9333cb48ef5ee4ad85482d3bc14b9
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 Command and Scripting Interpreter T1071.001 Application Layer Compromise T1566.001 Phishing T1071.002 Software Installation

The file exhibits several indicators of malicious behavior, including a VBA-based macro that executes upon workbook opening. This macro utilizes `CreateObject` to instantiate COM objects, potentially for downloading and executing a secondary payload. The `Workbook_Open` event handler is a common attack vector for delivering malicious code. The extracted artifacts, particularly the `macros.bas` file, contain obfuscated code and commands that suggest an attempt to evade detection. The overall intent is likely to download and execute a payload from a remote server.

Heuristics 4

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
3c30b6dd07242d341ca72bcaf07058f81592ca1490dcf1a2b2534f10ce662f55		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3485 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
d00744beffbf7d7f900db846d388b52897c7ff620f6e8083d72c9e5aec4945b2		 vba-project OOXML VBA project: xl/vbaProject.bin 16384 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.