Office (OOXML) / .XLSM malware analysis — malicious · d6866432f4aa484a

MALICIOUS

Office (OOXML) / .XLSM

27.8 KB Created: 2020-11-11 12:15:34 UTC Authoring application: Microsoft Excel 16.0300

MD5: b2d4ec93ef218fce46dda7fafe65c346 SHA-1: 994a588bcdfe6f23e07c0d90590b6438a29dbd71 SHA-256: d6866432f4aa484a3cd01cdcd30de118e24b6d8610cf1da631a6d4879989b06c

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell

The critical heuristic 'OLE_VBA_ACTIVEX_XLM_STAGER' indicates that the VBA code within this OOXML document is designed to decode and execute an Excel 4.0 macro. This suggests the primary intent is to download and run a secondary malicious payload. No specific family could be identified, and no direct IOCs like URLs or hashes were extracted from the document body.

Heuristics 2

VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

VBA code attached to an ActiveX/UserForm event decodes strings from worksheet cells through a Mid/Asc/Chr character-shift loop and passes the recovered formula text to ExecuteExcel4Macro. This is a high-confidence macro stager that bridges VBA event activation into XLM formula execution rather than a specific Office parser CVE.
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `7e99c2a39ec508a2e6984dd3d7b9e112bee0e64b472ffcc4ab0030c156f61a0d`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2073 bytes
`vbaProject_00.bin` `f67ac19ee6cfa6b7d6ea62a35c3527c5c60ddf47f41d3e3e713e93046404aca3`	vba-project	OOXML VBA project: xl/vbaProject.bin	20480 bytes
`emf_00.emf` `8357e7f07f41a1e53a6ef35edda5f8d6ef14c676e025cb302cff4e47f3ae55a8`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	2024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.