Office (OLE) / .XLSX malware analysis — malicious · 9f8bf2c7daf81b19

MALICIOUS

Office (OLE) / .XLSX

121.0 KB Created: 2006-04-03 13:16:00 Authoring application: Microsoft Excel

MD5: b32ba27efb9996d70203f908d331ed35 SHA-1: acbbca163eec758aeb919de12044dafc6082163f SHA-256: 9f8bf2c7daf81b19af67f9a954725e587ae5f3bfe00ab5b69559848a0d45df01

628 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.005 Visual Basic T1059.001 PowerShell T1105 Ingress Tool Transfer T1059.003 Windows Command Shell

The document body contains a lure for users to fill out a form, which is a common tactic for phishing or social engineering. The VBA script contains multiple critical heuristic firings indicating malicious intent, including `OLE_VBA_SHELL`, `OLE_VBA_WSCRIPT`, and `OLE_VBA_WMI_PROCESS_CREATE`. The `auto_open` subroutine in the `macros.bas` script is designed to execute automatically when the workbook is opened, and it attempts to copy itself and potentially execute further malicious actions. The script's use of `Shell()` and `WScript.Shell` strongly suggests it is designed to download and execute a second-stage payload.

Heuristics 16

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
ClamAV: Xls.Virus.Mailcab-6702020-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Virus.Mailcab-6702020-0
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE

Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `754d8b8af41642fd1433c4162d90ff81dcc08369ede784bd7da6d0aeecfea036`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	27117 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 7 shell/COM execution token(s). Carved artifact contains 9 Chr/ChrW string-construction calls. Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.