Office (OOXML) / .XLSM malware analysis — malicious · b80f9194087f2c57

MALICIOUS

Office (OOXML) / .XLSM

146.2 KB Created: 2021-03-31 10:01:28 UTC Authoring application: Microsoft Excel 15.0300

MD5: 685306911f64e7a7503f163d6b70c519 SHA-1: d9f4898fda95d4d720fb26cdbf81e64326d6e41d SHA-256: b80f9194087f2c5747172b019b4b163a691b6bc002f18f7ede0c244f03c3d370

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.002 Spearphishing Attachment

This XLSM file contains a Workbook_Open macro, a common technique for initial execution. The VBA code exhibits obfuscation, including the use of Chr strings, and the GetObject call suggests dynamic execution of further code. The heuristic firings strongly indicate that this macro is designed to download and execute a second-stage payload, although no specific URLs or hashes were extracted in this static analysis.

Heuristics 4

Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `4d31bd87659de57e854a3f52d4bcfc457e98f947e040ce27e26e503c529ad3f5`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	7474 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 21 Chr/ChrW string-construction calls.
`vbaProject_00.bin` `c41b724a0b2fd13d50181c4528622b155748e12110399252f28ba0c3ac15c369`	vba-project	OOXML VBA project: xl/vbaProject.bin	59904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.