Office (OOXML) / .XLSM malware analysis — malicious · c08dcd891fb9d306

MALICIOUS

Office (OOXML) / .XLSM

1.92 MB Created: 2017-01-19 12:48:32 UTC Authoring application: Microsoft Excel 16.0300

MD5: 66eca3d6b1bd29d7cc361904dea29e49 SHA-1: 52163af8b4d35131640a1a704348896112dd1266 SHA-256: c08dcd891fb9d3061c7b67ced43677b8af8fa7a09dd9cff8b285949a4579ca0c

68 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.005 Visual Basic

The file is an XLSM document containing VBA macros, a common delivery mechanism for malicious payloads. A heuristic indicates the document attempts to lure the user into calling a phone number, consistent with callback phishing or tech-support scams. No specific IOCs like URLs or hashes were extracted, and the VBA code was not detailed enough to determine its exact function.

Heuristics 4

NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x40 bytes
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction

Extracted artifacts 22

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `aac9df2697bf0fddcfbf87beff3b230f7638aa02a48d0a702642631ff2bdd856`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	27110 bytes
`vbaProject_00.bin` `0f7f13ff34714515307f000a41ef9c8f6c62e8ea17b7d2baf9260296a3bd3fba`	vba-project	OOXML VBA project: xl/vbaProject.bin	84992 bytes
`emf_00.emf` `686b925d28b3d623ed3a153a9003775a2f3f68c8f214202ee4946d2d5c11ac7b`	ooxml-emf	OOXML EMF part: xl/media/image14.emf	2640 bytes
`emf_01.emf` `6f58bd5909623886f3337ba5a20342fc31a268b658162093d65131c68459e69e`	ooxml-emf	OOXML EMF part: xl/media/image16.emf	2672 bytes
`emf_02.emf` `31652b07ea21fc0cf9f1c5fd64eba58193460c3eaae7e1d22e405f57616c2b31`	ooxml-emf	OOXML EMF part: xl/media/image17.emf	2652 bytes
`emf_03.emf` `281099a6bb32929924638a452d4181cb241bdcbfab30ef5bd86e24512310290f`	ooxml-emf	OOXML EMF part: xl/media/image18.emf	2672 bytes
`emf_04.emf` `6cef87ad41ebc3e2d560d26ded7a6618a3925249c7694ebcc74b0aaa657edc8d`	ooxml-emf	OOXML EMF part: xl/media/image13.emf	2672 bytes
`emf_05.emf` `70607ceebf27d9c8439ea801232935b4774b3fed0893528249fa5e99df9a2bcb`	ooxml-emf	OOXML EMF part: xl/media/image12.emf	2652 bytes
`emf_06.emf` `d8f1f4ed55d2d141fb14a84eb976aff8c872f229d193a5f4ebc281176f830ed5`	ooxml-emf	OOXML EMF part: xl/media/image11.emf	2636 bytes
`emf_07.emf` `7593a16575b14d53346cacce37ed1315c92ee448d09c69019e8bbe4948788f48`	ooxml-emf	OOXML EMF part: xl/media/image7.emf	2688 bytes
`emf_08.emf` `3958b9596e529f288c3e77eb63afa0bfd0da9732a61c87d39efbfd8924d7c627`	ooxml-emf	OOXML EMF part: xl/media/image8.emf	2708 bytes
`emf_09.emf` `d67eebcaff15133b42771696edfc6082e7ad7a9eaffd0befe023cc37659e2728`	ooxml-emf	OOXML EMF part: xl/media/image9.emf	2652 bytes
`emf_10.emf` `1538f47af1637861a8b162895e7cb4be83488328535ad1c4eb787a097cceecc0`	ooxml-emf	OOXML EMF part: xl/media/image10.emf	2640 bytes
`emf_11.emf` `80f2bd3400d18b8dc51c3d3465f7ba6bf4de3bfdeac257e89dd801ae3e8ec891`	ooxml-emf	OOXML EMF part: xl/media/image19.emf	2708 bytes
`emf_12.emf` `68aa2dfce53183d2e2767f33057eca5e6a0a412528ae27583fd26728ca81bf0a`	ooxml-emf	OOXML EMF part: xl/media/image20.emf	2696 bytes
`emf_13.emf` `6560ae6f296cb8618b2346731d7e476e395d1bbf2abc02b6036fd76985fe37e3`	ooxml-emf	OOXML EMF part: xl/media/image6.emf	2672 bytes
`emf_14.emf` `7f02032a2ea00628880d5b3c45cd77fa36c989926c39b6d287a15dcffaf7fa9f`	ooxml-emf	OOXML EMF part: xl/media/image15.emf	2696 bytes
`emf_15.emf` `0bc76f1acccb7a92dd833d5a6274ce7f25cacdfe57960182d06686fab8cd2a9b`	ooxml-emf	OOXML EMF part: xl/media/image3.emf	2652 bytes
`emf_16.emf` `aeeac783bfdef4bd76db88cc2a4b6ff22948b518c7a117d1cc2e8b17c11843e3`	ooxml-emf	OOXML EMF part: xl/media/image2.emf	2672 bytes
`emf_17.emf` `ce00c070cefdae42957166bfd7c66daebec97f7499cc6fb4a4729092dcd3ab00`	ooxml-emf	OOXML EMF part: xl/media/image4.emf	2652 bytes
`emf_18.emf` `2899cc806b1edc50e4f5aa90bc0e446fdee3073bb43e751f1860d058e512323e`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	4128 bytes
`emf_19.emf` `1d86f53a2819917ac98cc678dbf05fcb9435126ce77961ea38011051559b7ac3`	ooxml-emf	OOXML EMF part: xl/media/image5.emf	2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.