Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 b908e32fa44d7672…

MALICIOUS

Office (OOXML) / .XLSM

1.15 MB Created: 2021-07-02 03:16:37 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2026-04-17
MD5: 6e0722a700af97cc6eb757c919f880fa SHA-1: c6806d6020310665ccaad4740a9dfe9905006460 SHA-256: b908e32fa44d7672a1a6058355404cf26315ea9e1ff07a34c8ea14fd99241c4f
674 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1105 Ingress Tool Transfer

This macro-enabled Excel document (XLSM) contains a Workbook_Open macro that attempts to trick the user into enabling macros via an 'Enable Macros' lure. Once enabled, the macro utilizes WScript.Shell and CreateObject to execute PowerShell commands. The script's primary function appears to be downloading and executing a second-stage payload from the URL 'https://downloads.stacos.com/TDS/TDS_Downloads/FVU/TDS_FVU_2169.jar'. The document body contains text related to eTDS-XL software and motivational quotes, likely serving as a distraction from the malicious activity. The presence of ClamAV detections further supports its malicious nature.

Heuristics 20

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • External relationship medium OOXML_EXTERNAL_REL
    External target in xl/externalLinks/_rels/externalLink1.xml.rels: ../../../../../../../../Users/NVSSY_Home_Dell/Downloads/eTDS-zip_Sample/eTDS-zip_Sample.xlsm
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: https://support.microsoft.com/en-us/office/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6
  • Hidden worksheet (veryHidden, hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 22 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://eportal.incometax.gov.in/iec/foservices/#/download-csi-file/tan-user-details
    • https://downloads.stacos.com/TDS/TDS_Downloads/FVU/
    • https://downloads.stacos.com/TDS/TDS_Downloads/FVU/TDS_FVU_2169.jar
    • https://downloads.stacos.com/TDS/ETDS_XL/EULA_TDSXL.pdf
    • https://downloads.stacos.com/TDS/ETDS_XL/ETDS-XL.zip
    • https://incometaxindia.gov.in/Pages/tax-services/facilitation-centre-locator.aspx
    • https://eportal.incometax.gov.in/iec/foservices/#/login
    • https://www.tdscpc.gov.in/app/login.xhtml
    • https://www.tdscpc.gov.in/app/ded/panverify.xhtml
    • https://www.tdscpc.gov.in/app/logout.xhtml
    • https://stacos.com/join/email?Name=
    • https://tdsprime.com
    • https://eportal.incometax.gov.in/iec/foservices/#/download-csi-file/tan-user-detailsA@�
    • https://tdsprime.comA@�
    • http://ns.attribution.com/ads/1.0/
    • https://tdsprime.zendesk.com/hc/en-us/articles/21238007283865-How-to-Unblock-Macros-in-e-TDS-XL
    • https://www.youtube.com/watch?v=2E_SQTUdPfo
    • https://tdsprime.zendesk.com/hc/en-us/articles/29945212047769-How-to-Enable-the-Macros-in-eTDS-XL
    • https://www.youtube.com/watch?v=5eEXeZMqItM
    • https://support.microsoft.com/en-us/office/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6
    • https://tdsprime.zendesk.com/hc/en-us/search?utf8=%E2%9C%93&query=%22
    • https://api.whatsapp.com/send/?phone=919709123841&text=Hello%20Venkat
    • https://forms.gle/YhYXuC7Qiy6JumuQ8
    • https://tdsprime.zendesk.com/hc/en-us
    • https://forms.gle/mxfpnyoJSDgJoCj87
    • https://script.google.com/macros/s/AKfycbzgdsHGlLpxSeiN7kHNv0cca7BdEnnVAgPsqjvOa-Qi0MFdKdU/exec?software=eTDS-XL&rtype=caret
    • https://script.google.com/macros/s/AKfycbzTXgzvzdbH0wSFPv5C92J2qzywYLUAY9SE0pYW-whbicSrlLDe/exec?tan_name=
    • https://tdsprime.zendesk.com/hc/en-us/articles/360021163912
    • https://www.youtube.com/channel/UCF1cmdYy04AS1VB6NWajI0A
    • https://stacos2.pipedrive.com/scheduler/0RMOQ4hd/etds-xl-demo-and-queries
    • https://razorpay.com/payment-button/pl_I3B076gfMwzZ80/view
    • https://razorpay.com/payment-button/pl_I7IgbmmGr69VIa/view
    • https://razorpay.com/payment-button/pl_I7IliRPgXDPYsn/view
    • https://razorpay.com/payment-button/pl_I7IuJpxJmM0ySZ/view
    • https://razorpay.com/payment-button/pl_I7IvkjlJr9HM0a/view
    • https://razorpay.com/payment-button/pl_I7XFAFXjmJmq12/view
    • https://razorpay.com/payment-button/pl_I7XHU3PljzXoMb/view
    • http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
83784a14ea2ee73eb8d39ea55c2b0f3ce7b53d85643407b733566e7b62fdfe44		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 689953 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 18 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
b721109f2392f2cf3c1076a93b67c4e1747dc01577b277b2700d6e10d4249a6a		 vba-project OOXML VBA project: xl/vbaProject.bin 2158592 bytes
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: likely
Carved artifact contains 19 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.