Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b40da1841f26f8f3…

MALICIOUS

Office (OOXML)

25.3 KB Created: 2020-09-28 12:54:55 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-10-08
MD5: b68804051e48dcd82405512ea79b838a SHA-1: c91a65927f49b8dbb4dde0f0605bed83ee3ef1a4 SHA-256: b40da1841f26f8f39d2da4ab118ce5907a5e78302c5f187d299203f5f4596626
120 Risk Score

Heuristics 3

  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
  • OOXML VBA project hides Excel 4 macro execution bridge high OOXML_VBA_XLM_BRIDGE_RAW
    Raw vbaProject.bin metadata references ExecuteExcel4Macro together with string-deobfuscation primitives, and the OOXML package exposes a button, drawing, or control surface that can invoke VBA. This is a macro/XLM stager indicator for projects whose source cannot be recovered cleanly; it is not a document-parser CVE attribution.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 667 bytes
SHA-256: 444a758a3aa2dd6a9d266ea385ba700fb9f99a61828d366b31c2d2bf899153a1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "previews, 7, 0, MSForms, MultiPage"
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 22528 bytes
SHA-256: afa9b09d92368e5d1e8a91e66c49168cde655ef483e8c6d5fe7a58b5fc1b485c
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 1408 bytes
SHA-256: 53a88b00b3c0368a97f07e5705cf02259ed019efd03221a3f484b750c1f9742f

Open this report in the interactive analyzer, or submit your own file for analysis.