Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 937225cbd0737c32…

MALICIOUS

Office (OOXML) / .XLSX

212.8 KB Created: 2000-04-13 21:48:14 UTC Authoring application: Microsoft Excel 12.0000
MD5: 4b959e8812e34d65607dd237fbac9a08 SHA-1: 06ab345313c2cab98e83bae0a912798d621b8a3e SHA-256: 937225cbd0737c3212a68da73265a2d988a6c941e9a27229beb32c0507e559b6
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 Command and Scripting Interpreter T1071.001 Application Layer Compromise T1566.001 Phishing T1071.002 Remote Services - SMB

The file exhibits multiple indicators of malicious activity, including a VBA macro that executes upon workbook opening, a VBA project file, and suspicious artifact detections. The `Workbook_Open` macro is a common technique used to initiate malicious actions within Excel. The script attempts to instantiate COM objects, which are frequently used to perform actions such as downloading files or executing commands. The overall intent is likely to download and execute a secondary payload, potentially a remote access trojan or a downloader for additional malware.

Heuristics 4

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
009e42f84986e9ba5c6b675e9f6498a81a0708a499b53d5d846ec5341da7f908		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3600 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
cda7604829d60fe8b2bde7526ecf4af7f3f1ada33c0cfc96d036925686e3488d		 vba-project OOXML VBA project: xl/vbaProject.bin 16384 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.