Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 b6d779234c13411a…

MALICIOUS

Office (OOXML) / .XLSM

71.7 KB Created: 2020-12-09 10:18:36 UTC Authoring application: Microsoft Excel 16.0300
MD5: ee59ba683246a66ec816c82d6cc33ad8 SHA-1: 0f9594bca68a51f61588731117a83037830c52ad SHA-256: b6d779234c13411aca916eba5c99c88e0d089f693d95c5e4828cec56b413cb1b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

This XLSM file contains Excel 4.0 macros, which are known to be used for malicious purposes. The critical heuristic 'OOXML_XLM_DANGEROUS_FN' indicates the use of dangerous XLM formula APIs like RETURN(), which can be used to download and execute payloads. The VBA code also appears to be obfuscated and attempts to execute a command via MsgBox, further suggesting a malicious intent to download and run a second-stage payload.

Heuristics 5

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Dangerous XLM formula APIs: RETURN critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
0e693726c86dad3de5c5b5934e5bc9ebc751aac50c7c23a18b5040dd36b3e9b8		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1805 bytes
vbaProject_00.bin
34884ef3db9d8096ef9a3ba9668c2818a768df37204b88a1980354db870bda54		 vba-project OOXML VBA project: xl/vbaProject.bin 18432 bytes
emf_00.emf
76f287b1e3251b7e0e5ba27bfb05b35831150cc665de00f9fd2d807e2d2a028d		 ooxml-emf OOXML EMF part: xl/media/image1.emf 1976 bytes
xlm_sheet_00.xml
87ab48abcaf9ccd52ff9cb01385542be55fb5b868b5d6e752c446cb4d065f8e2		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 962 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.