Office (OOXML) / .XLSM malware analysis — malicious · a28a94d233dc2abe

MALICIOUS

Office (OOXML) / .XLSM

429.4 KB Created: 2026-01-08 19:43:07 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2026-01-09

MD5: fd361fcdd5d0cebc208dd4d81b88e846 SHA-1: f01ae5cd4d300669f1e1b353939586f48a06bc81 SHA-256: a28a94d233dc2abee2820193addd10e93f1da99897765273026fdf4e6a47be2a

390 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.002 Spearphishing Attachment T1140 Deobfuscate or Obfuscate T1204.002 Malicious File

The sample is an XLSM file containing an Auto_Open VBA macro that attempts to execute a PowerShell payload. The macro uses obfuscated code and references PowerShell directly, indicating a downloader or initial execution stage. It also attempts to create a persistence mechanism via a Run key entry.

Heuristics 12

OOXML Ole10Native with payload/link indicators — possible CVE-2026-21514 high CVE likely CVE_2026_21514

Office document contains embedded OLE (xl/embeddings/oleObject1.bin) with Ole10Native plus executable, PE, or risky remote-link indicators. This is a likely CVE-2026-21514 exploitation shape.
PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `e4c23572e9246a4357fc50da31738aeee4656ee0e5260bd797062d3766d3be4a`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	18005 bytes
`ooxml_oleobject_00.bin` `01cbb2479d37cdfcfeb50974151c92070e71b5393a142fb127f2314feb3272ee`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/oleObject1.bin	700416 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.52, consistent with packed or encrypted content.
`ooxml_oleobject_00_ole10native_00.bin` `6521028c1cefaa4fe34c7e5c0b70e37fa55b6b998888807658cdbed88e7da588`	ole-package	OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native	693288 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.55, consistent with packed or encrypted content.
`vbaProject_00.bin` `00c9199fc501dd94362df5e05c734c8c37dfe8704ae730e321e65c84c20fc3a6`	vba-project	OOXML VBA project: xl/vbaProject.bin	38400 bytes
`emf_00.emf` `47b36d4917a574120d2728674abc24e9796871c1fc19eca067ce81eca3058888`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	4988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.