Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 8df0d05c36a64b13…

MALICIOUS

Office (OOXML) / .XLSX

24.4 KB Created: 2021-11-18 12:27:29 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-03-17
MD5: 9d8c54971f5f1ff74368785674e18a77 SHA-1: 329de5f9b1b72def08da75e5c9cc116ebfeb76eb SHA-256: 8df0d05c36a64b13869343917076ba8f65604ea1ecde50292f361ad4e34b4b09
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file is an Excel spreadsheet containing a Workbook_Open macro, indicating it is designed to execute code upon opening. The macro likely attempts to download and execute a second-stage payload from the embedded URL. The presence of a Workbook_Open macro and an embedded URL strongly suggests a malicious intent to deliver further malware.

Heuristics 4

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cvg.org/wp-content/uploads/2020/document.zip

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7670152fe843e44a947d50ab6f1de8ec6cb94934cef7a173181e6d8dcc6c0c4c		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 25705 bytes
vbaProject_00.bin
69e12653bbe7c662dd18cf58d5c8e065395fe34e1e25d466991e9e3bd93fc4c6		 vba-project OOXML VBA project: xl/vbaProject.bin 14336 bytes
emf_00.emf
2b7f9e42129569c8865fc6b998af84adac859d07a47f616e122680861f41827f		 ooxml-emf OOXML EMF part: xl/media/image1.emf 1316 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.