Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 b556487ae4d88923…

MALICIOUS

Office (OOXML) / .XLSM

331.5 KB Created: 2019-06-17 17:48:55 UTC Authoring application: Microsoft Excel 12.0000
MD5: bde2b9dc7dab9e930be10b75dcd171ef SHA-1: 8dfeed50d89f5a2264efb31e5f74816b49c148fb SHA-256: b556487ae4d889236c1626083b0c9d45a29a5c3bc4e087bf2e3245b6a18ed2db
168 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is an XLSM file containing a Workbook_Open macro. This macro is designed to construct a command string using environment variables and then execute it via the Shell() function. The macro appears to be obfuscated, making it difficult to determine the exact payload, but the presence of Shell() and the Workbook_Open event strongly suggests it's a downloader or initial execution stage. The extracted VBA macro file (macros.bas) and VBA project file (vbaProject_00.bin) are listed as suspicious artifacts.

Heuristics 5

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f2a00c979874d613c9bc05434c8aad7e34e468fa0d00d5d2bca098856a1b1d6b		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1100 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
935845b1f9de55aaf932efef4fda4b50e7bce9d66dfd20817a86b28fd1a2230d		 vba-project OOXML VBA project: xl/vbaProject.bin 9216 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.