Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 8d64a012716a426a…

MALICIOUS

Office (OOXML) / .XLSM

430.7 KB Created: 2004-08-16 18:44:14 UTC Authoring application: Microsoft Excel 15.0300
MD5: 32855de741eb42afe866830b1f9a6e6e SHA-1: 8322d23aef67fed8b201b9a679b21e4aa8143fe1 SHA-256: 8d64a012716a426a5abb3fa295dfe66b8787058fd1a7736ef608ced25921c2fb
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.002 Spearphishing with Other T1059.001 PowerShell

The file is an XLSM document containing a Workbook_Open macro, indicating automatic execution upon opening. The presence of a CreateObject call and a NOP sled suggests obfuscation and potential payload execution. The document body contains text related to a price quote template, which is likely a lure to trick the user. The extracted URL points to a legitimate template site, but its inclusion in a malicious document warrants attention.

Heuristics 6

  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: https://www.vertex42.com/ExcelTemplates/quote-template.html
    URL https://www.vertex42.com/ExcelTemplates/quote-template.html

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7f483a2ed44ca450aefe4e7b01bbf09b8266850e88e29c1395171a9205440783		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 5563 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
5082b7618528be2b27df54304d5ae694b2a66b8a2432197e9d91d17832cfd037		 vba-project OOXML VBA project: xl/vbaProject.bin 25600 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.