Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 a2e56ee7abc330ee…

MALICIOUS

Office (OOXML) / .XLSM

147.9 KB Created: 2021-02-22 02:18:41 UTC Authoring application: Microsoft Excel 16.0300
MD5: 78a966dd22bc2e85d2f807e2575ea471 SHA-1: 7daac212c4080fc4c6abc01f515c7548be710d54 SHA-256: a2e56ee7abc330ee99d988aee0c118f06003cd7062c3a68bedec7faa59f41f55
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

This XLSM file contains a Workbook_Open macro that utilizes the Shell() function, a critical heuristic firing. This indicates the macro is designed to execute arbitrary commands, commonly used to download and run additional malicious payloads. No specific family could be identified, and no external IOCs like URLs or hashes were extracted from the document body or scripts.

Heuristics 5

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
4b7263f6a43440acb8fc2a2be3404086db4e15539fc00867fc5237abbc53e8e3		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 40894 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
abb237124f5403d4b6fe4b907a02f6afafc8d44c74082facc81feaee8ebd67a0		 vba-project OOXML VBA project: xl/vbaProject.bin 46592 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.