Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 91f02fd041dc80fe…

MALICIOUS

Office (OOXML) / .XLSX

425.1 KB Created: 2000-04-13 21:48:14 UTC Authoring application: Microsoft Excel 12.0000
MD5: 318a3984d6f20a51c326bcacd83bf11f SHA-1: fbb43b06f54fd891030b08497d757170fa2eeeda SHA-256: 91f02fd041dc80fe5ad1c0ba9c0b273772af9c63e49bb602aa9c8d59cb276892
208 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 Command and Scripting Interpreter T1071.001 Application Layer Compromise T1566.001 Phishing T1071.002 Software Installation T1071.005 Proof of Concept Execution T1071.001 Application Layer Compromise

The file exhibits several indicators of malicious activity, including a VBA macro that triggers upon workbook opening, a LOLBin reference, and suspicious artifact detections within the VBA project. The macro's behavior – creating a file in the user's profile and executing a script – strongly suggests a downloader attempting to retrieve and execute a secondary payload. The use of `Environ()` further supports this, likely for obtaining paths to staging locations. The `CreateObject` call is a common technique for establishing a connection to a command-line interpreter or other system utilities. The overall intent is to establish a foothold and potentially escalate privileges.

Heuristics 6

  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
6ee52e51163e41fb78bba265aaa70496b33739f2b4463ac6a517ab9e94d6a011		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3617 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
5a440ed0818e0059461d2e9083aa583f8daf0d97303a004f7ddae9e8233fac33		 vba-project OOXML VBA project: xl/vbaProject.bin 16896 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.