Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 dc6a60b3e34036ff…

MALICIOUS

Office (OOXML) / .XLSM

30.4 KB Created: 2021-03-02 09:04:20 UTC Authoring application: Microsoft Excel 16.0300
MD5: 511e8b55bf83390403e4072289dc7bb5 SHA-1: c7b3aca0a6de2f58c2df50438add0f936d4e6e0c SHA-256: dc6a60b3e34036ff634a0cb836fbe878ea4d8f7b109958d5faaf72f00908141f
90 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1566.001 Spearphishing Attachment

The file is an XLSM document containing VBA macros and an Excel 4.0 macro sheet, indicating a macro-based execution attack. The VBA code appears to be obfuscated, but the presence of Excel 4.0 macros (xlm_sheet_00.xml) is a strong indicator of malicious intent, often used to download and execute further stages. The heuristics confirm the presence of VBA and Excel 4.0 macros, and a hidden sheet, commonly used to conceal malicious content.

Heuristics 4

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 2 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
3942f1b7912f38fe8ec4385d56db234fa88f9c56843e1a175049c79e25eaf6c6		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2381 bytes
vbaProject_00.bin
4d5b7f775ba3b0402233f25969b9927e3b2714449ba93bf0c0a4dc52285e69e0		 vba-project OOXML VBA project: xl/vbaProject.bin 25088 bytes
xlm_sheet_00.xml
6a391656549201c887614cde60218159fa7da164fd87c00b12dd24200c865d3e		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 865 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.