Office (OOXML) / .XLSM malware analysis — malicious · c9543baa2ba0d7d8

MALICIOUS

Office (OOXML) / .XLSM

70.2 KB Created: 2020-12-09 11:39:53 UTC Authoring application: 16.0300

MD5: 8a3bed0723418f91f3378a3d6696d7b5 SHA-1: f060580acf6d0dc4d89a64089c97beaacedf071a SHA-256: c9543baa2ba0d7d8b670213c02ba258041823cf79f558a3c7e4c9ad7923b2bc3

150 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is an XLSM file containing Excel 4.0 macros, indicated by the critical heuristic firings for OOXML_XLM_MACROSHEET and OOXML_XLM_DANGEROUS_FN. The presence of the RETURN() function in the xl/macrosheets/sheet1.xml file suggests an attempt to execute arbitrary code or download a payload. The VBA code, while obfuscated, also appears to be involved in the execution chain, potentially by triggering the XLM macros. The document body contains a long string of numbers which, when decoded, likely form part of a URL or command used for payload delivery.

Heuristics 5

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
Dangerous XLM formula APIs: RETURN critical OOXML_XLM_DANGEROUS_FN

Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
- http://schemas.microsoft.com/office/excel/2006/main
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `5d22f067fe4bbc3c213acd3abe89acebfa354fb460484f9da9907fc410c54d5d`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1857 bytes
`vbaProject_00.bin` `eb2e1ca9f8ce3920e5a6175e583c282fcf07690d60ef527fb599cb04b8452096`	vba-project	OOXML VBA project: xl/vbaProject.bin	18432 bytes
`emf_00.emf` `76f287b1e3251b7e0e5ba27bfb05b35831150cc665de00f9fd2d807e2d2a028d`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	1976 bytes
`xlm_sheet_00.xml` `87ab48abcaf9ccd52ff9cb01385542be55fb5b868b5d6e752c446cb4d065f8e2`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.xml	962 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.