Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 a01feb0cc0f71ea4…

MALICIOUS

Office (OOXML) / .XLSX

425.3 KB Created: 2000-04-13 21:48:14 UTC Authoring application: Microsoft Excel 12.0000
MD5: 1d23f3324bed375df4da3ec19ce76c6b SHA-1: 9240d21ab6150f8b0dc8ee0c0caad607abc866b6 SHA-256: a01feb0cc0f71ea4c1d55fff2a54a3ab5f2ad4b8d1aa1b93de814b7e6b31fc99
208 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1059.001 PowerShell T1547.001 Registry Run Keys / Startup Folder T1059.003 Windows Command Shell T1059.001 PowerShell

The sample is an Excel spreadsheet containing a Workbook_Open macro, which is a common technique for executing malicious code upon opening. The VBA script utilizes CreateObject to interact with the Windows Task Scheduler and the FileSystemObject to write a file to disk, likely to download and execute a second-stage payload. The script's obfuscated nature and reliance on system utilities suggest a downloader or dropper functionality.

Heuristics 6

  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a8773828255b8e24324f26c4f261bc2361713cb7a933c55d51dfa1ed0bb69400		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3839 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
a56fb2c1bdfdba2c68df3bbd566f4c349f3b9ee8aa65f6961a67e5a2ebc51eb2		 vba-project OOXML VBA project: xl/vbaProject.bin 16896 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.