Office (OOXML) / .XLSM malware analysis — malicious · a0f15919fdcbd820

MALICIOUS

Office (OOXML) / .XLSM

51.9 KB Created: 2020-11-18 12:41:19 UTC Authoring application: Microsoft Excel 16.0300

MD5: ed931b0cc827a4f9051f80b6598a4f6e SHA-1: 4ec5ef894b046c2486b63b503c6b93fc2c873188 SHA-256: a0f15919fdcbd8208938d1118be24041fc917ca3a9a7be768eb08574fe80f447

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The critical heuristic 'OLE_VBA_ACTIVEX_XLM_CELL_STAGER' indicates that VBA ActiveX events are used to execute worksheet-decoded XLM formulas. The VBA script confirms this by using `ExecuteExcel4Macro` to run decoded XLM formulas. This technique is commonly used to download and execute further malicious content. No specific family could be identified, and no direct IOCs were extracted.

Heuristics 2

VBA ActiveX event runs worksheet-decoded XLM formulas critical OLE_VBA_ACTIVEX_XLM_CELL_STAGER

VBA code attached to an ActiveX/UserForm event reconstructs formula text from worksheet constants using Split/Replace/Mid or character shifting, then executes it through ExecuteExcel4Macro or Run. This is a high-confidence malware stager that hides XLM formula execution in sheet cells; it is not a document-parser CVE.
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `7f45f2d041b8732d93eb924e1e7ef86eadcd6fdc48033c010d79044d47ccddc0`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1236 bytes
`vbaProject_00.bin` `2b30ecb4974bce8c6c2d94cc24e03428831c46dbcd271a890a3696ae46da110b`	vba-project	OOXML VBA project: xl/vbaProject.bin	15360 bytes
`emf_00.emf` `4609916d8bdbc79e29612828ccd046cae14d7ddc0bfea0db84520ad5f180a00d`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	1408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.