Office (OOXML) / .XLSM malware analysis — malicious · e1facaa7b9d00086

MALICIOUS

Office (OOXML) / .XLSM

51.8 KB Created: 2020-07-01 07:07:10 UTC Authoring application: Microsoft Excel 16.0300

MD5: 21e0ed9574ed969cc9982d6c349c0297 SHA-1: 4f38f42e92abf3120604b4198f544a479a45df86 SHA-256: e1facaa7b9d0008649fcbcb6b05800ca9866c9b821f6a7a220f200772fa0eba5

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is an XLSM document containing VBA macros, as indicated by the OOXML_VBA heuristic and the presence of macros.bin. ClamAV detection identifies it as 'Doc.Dropper.Agent-8453959-0', suggesting a dropper functionality. The embedded VBA macros are likely responsible for downloading and executing a secondary payload, a common tactic for droppers. No specific URLs or further script details were provided for deeper analysis.

Heuristics 2

ClamAV: Doc.Dropper.Agent-8453959-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-8453959-0
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `1d338e2dc871882d4d9bebaf601107b99ca6126479ff0610e87764ba2649f530`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1015 bytes
`vbaProject_00.bin` `3e7527dbe5574921cd999e2d766e526e5ea5d854d4c0f13f32b6b3cb401a052d`	vba-project	OOXML VBA project: xl/vbaProject.bin	10752 bytes
`emf_00.emf` `707591b3f9f105a5c2a664717f404c5f2e72255a452313005c47c770376bcf6b`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	2384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.