Office (OOXML) / .XLSM malware analysis — malicious · b5b994ddac9450fe

MALICIOUS

Office (OOXML) / .XLSM

29.1 KB Created: 2020-11-04 11:23:48 UTC Authoring application: 16.0300

MD5: f554ad10f03b542391df8fba35cf7a7a SHA-1: 9db3592c403622cc68787a88ad5660c4107d577a SHA-256: b5b994ddac9450fe4c709e2c0f8319f13b8b388acd55a9580cf204fc11174382

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.005 Visual Basic

The critical heuristic 'OLE_VBA_ACTIVEX_XLM_CELL_STAGER' indicates that VBA macros are used to execute Excel 4.0 macro formulas. The VBA script 'aramic' appears to be responsible for decoding and executing these formulas, likely as a downloader for a second-stage payload. The obfuscated nature of the DOC BODY content and the script itself suggests a deliberate attempt to hide malicious activity.

Heuristics 2

VBA ActiveX event runs worksheet-decoded XLM formulas critical OLE_VBA_ACTIVEX_XLM_CELL_STAGER

VBA code attached to an ActiveX/UserForm event reconstructs formula text from worksheet constants using Split/Replace/Mid or character shifting, then executes it through ExecuteExcel4Macro or Run. This is a high-confidence malware stager that hides XLM formula execution in sheet cells; it is not a document-parser CVE.
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `b807bf235fff90dcfdc0cbc2658d52b1569216c26ed3046dac250b6e2c33f905`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2200 bytes
`vbaProject_00.bin` `d1d87ec547d6bd5210a3e20fd547a51050b65435e6d2933fb1b6a560a039d92f`	vba-project	OOXML VBA project: xl/vbaProject.bin	19968 bytes
`emf_00.emf` `3f657b8f455dba6a1f1e82394aca0218fe2d2d5fbdbc7037e0ea790beb66a76c`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	2352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.