Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 c1411c5ec14996d8…

MALICIOUS

Office (OOXML) / .XLSM

437.9 KB Created: 2026-01-09 02:09:33 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2026-01-09
MD5: f591beade507a4cb615b9ba64c560751 SHA-1: 2e473c74bd5543a9f105d7f2046d12a2d425d981 SHA-256: c1411c5ec14996d8bb146c2fa2a610dfe170ef2aac87814f499b3497529f0f3d
390 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1140 Deobfuscate/Decode Files or Information T1059.005 Visual Basic

This XLSM file contains an obfuscated Auto_Open VBA macro that attempts to execute a payload. The macro references PowerShell and uses CreateObject and GetObject calls, indicating it's designed to download and run a second-stage executable. The document body explicitly prompts the user to 'Enable Content', a common lure for macro-enabled malware.

Heuristics 12

  • OOXML Ole10Native with payload/link indicators — possible CVE-2026-21514 high CVE likely CVE_2026_21514
    Office document contains embedded OLE (xl/embeddings/oleObject1.bin) with Ole10Native plus executable, PE, or risky remote-link indicators. This is a likely CVE-2026-21514 exploitation shape.
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7df27ea9e2ef762732567ba34caec15ab91882bdd08a65cc1be6e744d055dbee		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 18025 bytes
ooxml_oleobject_00.bin
70157f517e8e7622f49eb112d8d4a10f08dac3a15857c3d92ac07a49bf869d89		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 712192 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.52, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00.bin
c4b54097f7a1ccb0a4e4a10497431b8d938a7ac0e030b18cf258cb2eb3c8adb6		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 705064 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.55, consistent with packed or encrypted content.
vbaProject_00.bin
67063b951eca0481a6118f835ed6189b6d2062d46dcdae8cf0c6fe41703e7ef4		 vba-project OOXML VBA project: xl/vbaProject.bin 38400 bytes
emf_00.emf
47b36d4917a574120d2728674abc24e9796871c1fc19eca067ce81eca3058888		 ooxml-emf OOXML EMF part: xl/media/image1.emf 4988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.