Office (OOXML) / .XLSM malware analysis — malicious · a86e178e1ff98b68

MALICIOUS

Office (OOXML) / .XLSM

41.6 KB Created: 2020-10-07 11:48:03 UTC Authoring application: 16.0300

MD5: e66894d5b81e5ab3370efb889d2e95bc SHA-1: 90e7c9b256d979665cef39552bcd3d9ac1768372 SHA-256: a86e178e1ff98b684fe5c47d4caa8d98430e8f2a2c7980df9249040d5c68639c

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The critical heuristic OLE_VBA_ACTIVEX_XLM_STAGER indicates that a VBA ActiveX event launches a decoded Excel4 macro. The extracted URLs from the document body are likely used by the macro to download and execute a second-stage payload. The VBA script contains functions to decode and execute Excel4 macros, and the reconstructed URLs are the primary indicators of compromise.

Heuristics 2

VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `3be3932383cf73c3ae1910b6d88250d0089310e568aec6c236f4b9e0977ad703`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2196 bytes
`vbaProject_00.bin` `3c38bfd35fd2d2a5e401d2ec82b66018cc0b26e35393fc89998a45a563d4d32b`	vba-project	OOXML VBA project: xl/vbaProject.bin	20480 bytes
`emf_00.emf` `218c7f8bb6b298329422b6c448e44a8674b65ad2b4cb8337205fc90b22c33ce8`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	1408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.