Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 beabff1f10e329f8…

MALICIOUS

Office (OOXML) / .XLSM

37.2 KB Created: 2021-01-19 12:50:29 UTC Authoring application: 16.0300
MD5: ca08990a6b5b09fbe4f7ce6b789bc79f SHA-1: 0985241968387be9c24cb9f4e6a07e7426efa0b2 SHA-256: beabff1f10e329f89a446c9cba345d47cea69050553210558e793d8857452f7c
190 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1059.001 PowerShell T1204.002 Malicious File

This XLSM file contains Excel 4.0 macros, indicated by the critical heuristic firings for 'OOXML_XLM_MACROSHEET' and 'OOXML_XLM_DANGEROUS_FN'. The 'RETURN()' function in the XLM macro sheet is a known primitive for executing arbitrary code. The Auto_Open VBA macro also appears to be involved in the execution chain, though its exact function is obfuscated. The primary attack pattern involves leveraging these macro capabilities to download and execute a secondary payload.

Heuristics 6

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Dangerous XLM formula APIs: RETURN critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 2 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1725c738d05c050a7db0f12632ceb2bc76daa84956ba231a03b95c496ad373d8		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1927 bytes
vbaProject_00.bin
f25dcc4f78ebf1fb7ad80f4a5b0d537c42fe1fbed6fd8b6cfef1d79e370a1d03		 vba-project OOXML VBA project: xl/vbaProject.bin 19968 bytes
xlm_sheet_00.xml
5b5dcb2f030adcab65a6222035f9e1adf076e7494a34f1fe990be2faa35a9a03		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1103 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.