Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 a13dbd505fff74b6…

MALICIOUS

Office (OOXML) / .XLSX

67.0 KB Created: 2018-10-19 11:39:03 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2026-06-08
MD5: ecfe08ae027028dd6589a12b4891a35f SHA-1: 9a7d30d3d99e37f41691237ecbe4e5f865afbee9 SHA-256: a13dbd505fff74b6ff77ff1d579422da311b04eb45ee5be022fa50ea92d95c7b
70 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The presence of a Workbook_Open VBA macro indicates that the malicious code executes automatically when the Excel file is opened. The macro attempts to insert a remote image from the URL http://fr-fichiers.fr/50721bf8-3b0b-40e3-b2b8-161c53ec65a7, which is likely used as a web beacon for tracking or to download a secondary payload. This behavior is characteristic of phishing attachments designed to compromise the recipient.

Heuristics 5

  • VBA project inside OOXML medium 1 related finding OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Remote image (web beacon / tracking pixel) medium OOXML_IMAGE_BEACON
    Document references an external image URL — loads automatically on open, revealing IP address and timestamp to the server (used for phishing tracking and NTLM hash theft on corporate networks)
  • External relationship medium OOXML_EXTERNAL_REL
    External target in xl/drawings/_rels/drawing1.xml.rels: http://fr-fichiers.fr/50721bf8-3b0b-40e3-b2b8-161c53ec65a7
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://fr-fichiers.fr/76868d8b-c607-44a6-9b60-91b0f85b7c09 In document text (OOXML body / shared strings)
    • http://fr-fichiers.fr/50721bf8-3b0b-40e3-b2b8-161c53ec65a7OOXML external relationship
    • http://schemas.openxmlformats.org/package/2006/content-typesIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/package/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-propertiesIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-propertiesIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocumentIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/stylesIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/themeIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/worksheetIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/2006/relationships/vbaProjectIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/sharedStringsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/spreadsheetml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2010/11/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revisionIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision10In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2010/11/acIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/imageIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/drawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/printerSettingsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/thememl/2012/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2015/02/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/spreadsheetDrawingIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/mainIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/package/2006/metadata/core-propertiesIn document text (OOXML body / shared strings)
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
    • http://purl.org/dc/terms/In document text (OOXML body / shared strings)
    • http://purl.org/dc/dcmitype/In document text (OOXML body / shared strings)
    • http://www.w3.org/2001/XMLSchema-instanceIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/extended-propertiesIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypesIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 755 bytes
SHA-256: 7206d4f1e77c5df473864eff0cfdc99478940d95b300ae3344caf65361bfd31a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Sub Workbook_Open()

    Dim imagePath As String
    imagePath = Cells(58, 19)
    ActiveSheet.Pictures.Insert (imagePath)
    
End Sub



Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 14336 bytes
SHA-256: 66e764863080811ffc34a9e44a23257167078831a6114970cc91450047aa6129

Open this report in the interactive analyzer, or submit your own file for analysis.