Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 bb7ffef0ebd06f1e…

MALICIOUS

Office (OOXML) / .XLSX

402.6 KB Created: 2000-04-13 21:48:14 UTC Authoring application: Microsoft Excel 12.0000
MD5: a8246e0d24f8ea3e862a1ee5e2e92e7c SHA-1: 9087d4623328a9b9d833d37b093803259ff42597 SHA-256: bb7ffef0ebd06f1ef21d12e3c35e0794df93f8ec157b422f2f67f7b6449566c4
208 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1218 System Binary Proxy Execution

The sample is an Excel document containing VBA macros, with a Workbook_Open macro designed to execute automatically. The script utilizes CreateObject to interact with the file system and potentially download or execute further payloads, evidenced by the creation of a file in the user profile directory. The use of LOLBins is also indicated, suggesting a sophisticated execution chain.

Heuristics 6

  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
96888a67f64579efca7a09cb75a2191b65a66a9aa88501f2b26eeb09fdf9d812		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3639 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
1be32cfa7f4eac6685fbda35125701b29d3583ecd354bc90fe601fecbf2fd121		 vba-project OOXML VBA project: xl/vbaProject.bin 16896 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.