Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 b04c85304bfa02b7…

MALICIOUS

Office (OOXML) / .XLSX

332.1 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 15.0300
MD5: 84e6967cf27090e112877172b260bc32 SHA-1: 6d8c04fafd29487589dd4c586837d42bb5641aa8 SHA-256: b04c85304bfa02b7c49ffd85a12a6d901bbad1356edbf31361047b7388b27a07
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The file is an OOXML document containing VBA macros, as indicated by the OOXML_VBA heuristic. The presence of CreateObject and CallByName calls suggests the macro is designed to execute arbitrary code. ClamAV detections (Xls.Malware.Chartres-7641208-0) confirm the malicious nature. The macros likely download and execute a second-stage payload, a common technique for delivering malware.

Heuristics 6

  • ClamAV: Xls.Malware.Chartres-7641208-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Chartres-7641208-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8c6472b8c563cc168f35ec4fd70824264234077b046e2683cd092f26c55f3c2d		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4970 bytes
vbaProject_00.bin
fd8fb3e11d99a6d6859132438636b7ee4b065c4d122fed6cf9ef09a8efb31949		 vba-project OOXML VBA project: xl/vbaProject.bin 385536 bytes
Detection
ClamAV: Xls.Malware.Chartres-7641208-0
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
emf_00.emf
6bcb3082080cafb063cdc7430906163da0eee6ce1da785125bdefd247830a232		 ooxml-emf OOXML EMF part: xl/media/image3.emf 1599124 bytes
emf_01.emf
bc052645292cfd971f0dc001c8145481812bb839ec8dc4544a1453d12b01cd03		 ooxml-emf OOXML EMF part: xl/media/image2.emf 4680 bytes
emf_02.emf
2342c7f40807fe0899c57d21b7eb0dcce86a2c680a665e271545dc5e449226f2		 ooxml-emf OOXML EMF part: xl/media/image1.emf 1360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.