Office (OOXML) / .XLSM malware analysis — malicious · c5ebeac508731fa2

MALICIOUS

Office (OOXML) / .XLSM

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300

MD5: dbbf36df3b43ef0b602bc1b77da8cdf3 SHA-1: 59019a4edf70fe88e40f4d12c7d8b4c97a9a9755 SHA-256: c5ebeac508731fa22546d2e2893a9fa58ba6b885b7bf8b16c0807d6ee6ba5a73

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.005 Visual Basic

This XLSM file contains VBA macros that reference PowerShell and cmd.exe, and also utilize the GetObject function. The VBA code includes a Base64 decoding function, suggesting that obfuscated commands are being executed. The primary intent appears to be downloading and executing a second-stage payload, as indicated by the heuristic firings and the presence of VBA macros designed for code execution.

Heuristics 5

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA
GetObject call high OLE_VBA_GETOBJ

GetObject call
cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `87b70f319e5fc5619ef83faadbd5e2aec1afaa001da874a92212a1b0577957f9`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	35036 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 shell/COM execution token(s).
`vbaProject_00.bin` `d56e775bcbe36e288e1c9b5c3aaa93790e4136568d966591e3a7c42e19ad48ed`	vba-project	OOXML VBA project: xl/vbaProject.bin	11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.