Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 9ddd6cf08cc248e8…

MALICIOUS

Office (OOXML) / .XLSM

437.7 KB Created: 2026-01-08 22:52:47 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2026-01-09
MD5: aaa43e8267afc8d8533463c77c109f12 SHA-1: 02fa755fe38484cd9a219e87eae925be7fa35b46 SHA-256: 9ddd6cf08cc248e84fab497f9f508c3a4277f7d8d500f8bf7d18d19fd1fd2faf
390 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File T1140 Deobfuscate or Obfuscate

This XLSM file contains an obfuscated Auto_Open VBA macro designed to execute a payload. The macro references PowerShell and uses CreateObject and GetObject calls, indicating it attempts to download and run a secondary executable. It also attempts to establish persistence by writing to the Run key 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy' and creates a file at 'C:\Users\Public\Documents\update.exe'. The document body displays a fake 'Enable Content' prompt to lure the user into running the macro.

Heuristics 12

  • OOXML Ole10Native with payload/link indicators — possible CVE-2026-21514 high CVE likely CVE_2026_21514
    Office document contains embedded OLE (xl/embeddings/oleObject1.bin) with Ole10Native plus executable, PE, or risky remote-link indicators. This is a likely CVE-2026-21514 exploitation shape.
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
483097a90f6eb9997135b257095198c17497fbf4df905da1f24a636ba2e8cfe4		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 18160 bytes
ooxml_oleobject_00.bin
2eefdae5a671b60a20755921b68fb68562c331a2563dbf7adaa8a137629224a5		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 711680 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.52, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00.bin
b8c6985f81eaeed94cecc23fe5f961b5c1991e54141c653e8061fdac6a4b63f9		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 704552 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.55, consistent with packed or encrypted content.
vbaProject_00.bin
f6dcdad828b8bc893586d220db5f0f0c3d2d4824c15230b526faebf87df75ada		 vba-project OOXML VBA project: xl/vbaProject.bin 38400 bytes
emf_00.emf
b72a6a943fa52f5e41c331e569b1af422b6a613f45c38e2f7b61bbc5e88c1511		 ooxml-emf OOXML EMF part: xl/media/image1.emf 4988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.