Office (OOXML) / .XLSX malware analysis — malicious · d53c730c6d673d66

MALICIOUS

Office (OOXML) / .XLSX

54.9 KB Created: 2006-10-11 04:02:12 UTC Authoring application: WPS Office 12.0000

MD5: 22f767233a7b3a6504bb40720c3d3afa SHA-1: 5e24f039aa8c3e1991c7e8f71800c1c7e6550fe1 SHA-256: d53c730c6d673d66db1aef2ffcbbef0ca5cf3af8db8b441515a6deb54d254c7d

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.005 Visual Basic

The file is an OOXML document containing VBA macros, indicated by the 'OOXML_VBA' and 'EXTRACTED_FILE_STATIC_TRIAGE' heuristics. The 'SE_INVOICE_LURE' heuristic suggests the document body is designed to trick the user into interacting with malicious content. The presence of 'OLE_VBA_LOLBIN' points to the use of legitimate system binaries for malicious purposes via VBA. The extracted URL, although marked as benign, was present in the document. The VBA macros likely download and execute a second-stage payload.

Heuristics 5

LOLBin reference in VBA critical OLE_VBA_LOLBIN

LOLBin reference in VBA
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.j.mp/ajdddsdsdifdiijijsjcjosdj

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `d6ec53cfdefd60e3a34604fdd2114a56a160fb76587c036b493d0b6dac144dc0`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1854 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 shell/COM execution token(s).
`vbaProject_00.bin` `04aa4eefe7e857c6fcb416f2d4ab341eeeb220c971120a98f35af2104c53538a`	vba-project	OOXML VBA project: xl/vbaProject.bin	14848 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.