Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 a1131836bd4b758e…

MALICIOUS

Office (OOXML) / .XLSX

1.57 MB Created: 2004-02-18 09:50:20 UTC Authoring application: Microsoft Excel 16.0300
MD5: 8f56a187290b82edece24ce6096c7a25 SHA-1: ab67582ab73165f8d049ca7fe2a18131b57d928e SHA-256: a1131836bd4b758eb1a169b48ab7ea03d6795cebdab1f99ebf6c01f3f53edc8f
288 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The file is an Excel spreadsheet containing VBA macros, indicated by the OOXML_VBA heuristic. The presence of Workbook_Open and Auto_Open macros, along with a critical Shell() call, strongly suggests that the macro code executes automatically upon opening the document. This code is likely designed to download and execute a secondary payload, a common technique for initial access.

Heuristics 8

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
    URL http://schemas.microsoft.com/office/2009/07/customui
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
82779447c7511dd121577a15d495fcbc1612d3a0a68913cb1edc8464ac93bb2a		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 607586 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 80 Chr/ChrW string-construction calls. Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
351d25bcd495eda53da33844e41750fce49dacc8ab530c8a59d164aa40f7d3c9		 vba-project OOXML VBA project: xl/vbaProject.bin 2016256 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 12 Chr/ChrW string-construction calls. Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.