Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 bcacb9b88e195969…

MALICIOUS

Office (OOXML) / .XLSM

967.4 KB Created: 1997-11-13 13:59:22 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2025-08-20
MD5: 458260b44f8190c16fbce00fcdeb9b9d SHA-1: 5aee6e602a715ef3df309d5e1a504e2816565013 SHA-256: bcacb9b88e19596912b0d0af4d5f2e884910cd84fef6af7448d203c4981e2eb6
400 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1071.001 Web Protocols T1105 Ingress Tool Transfer

The sample is an XLSM file containing a Workbook_Open macro that attempts to lure the user into enabling macros. The macro then proceeds to download a file named 'UPDATE-Task.txt' from the URL https://workspace.sbt.siemens.com/content/00001000/fss/serviceability/download/Backup/. This indicates a downloader or initial access stage for a more complex attack.

Heuristics 13

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: xl/vbaProjectSignatureV3.bin)
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Hidden worksheet (veryHidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 4 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • VBA project carries a recognised code-signing signature info VBA_SIGNED_TRUSTED
    The VBA project is Authenticode-signed and the signer/issuer chain matches a recognised code-signing publisher or CA. Informational only — the signature is NOT yet verified to cover the current project bytes, so it does not (yet) reduce the verdict.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.quovadisglobal.com0\
    • http://ocsp.quovadisglobal.com06
    • https://workspace.sbt.siemens.com/content/00001000/fss/serviceability/download/Backup/
    • http://trust.quovadisglobal.com/qvcscag1.crt0*
    • http://www.quovadisglobal.com/repository0
    • http://crl.quovadisglobal.com/qvcscag1.crl0
    • http://trust.quovadisglobal.com/qvrca2.crt0
    • http://crl.quovadisglobal.com/qvrca2.crl0

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f530db443e2eeede36e412fd0f7cea1d51ee0f1a1302ffbc6c4b20980d08d684		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 83098 bytes
vbaProject_00.bin
1fe0bd03797bff446d75c522da28cf56b1fd4c9813c7ee7a035feb19a4620d25		 vba-project OOXML VBA project: xl/vbaProject.bin 275968 bytes
vbaProject_01.bin
d0a9d9e2987e4b74b93981e931d0075768a79ccf23b5c073f6defdd3e23c0a1d		 vba-project OOXML VBA project: xl/vbaProjectSignatureV3.bin 6912 bytes
vbaProject_02.bin
d722e4fed5f246cd2f91e1671c84a2cbd8addd60d58dc7d17eb454fb74b98430		 vba-project OOXML VBA project: xl/vbaProjectSignatureAgile.bin 6912 bytes
vbaProject_03.bin
90da429ecf6d407199d95b1ceb4ade1c7e53a9010b48c54ec27bdb2480b0329c		 vba-project OOXML VBA project: xl/vbaProjectSignature.bin 6796 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.