Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 e55cd9186628fa1f…

MALICIOUS

Office (OOXML) / .XLSM

486.0 KB Created: 2006-09-16 00:00:00 UTC Authoring application: 16.0300
MD5: 6397c267f0f25154a7d16f878868fe4f SHA-1: 0772055d8c66a334d7e9008d439a029441c276da SHA-256: e55cd9186628fa1fc7b5b68062c73d762884c17635d3432f897c4ce05571ae55
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

This XLSM file contains VBA macros, indicated by the OOXML_VBA heuristic. The presence of CreateObject and CallByName calls suggests the macros are designed to execute arbitrary code. The ClamAV detection further confirms its malicious nature. The document body contains text related to SQL databases and a sponsored advertisement for Backlink Builder, which may serve as a lure. The embedded URL 'https://backlinkbuilder.io/' is also noted.

Heuristics 7

  • ClamAV: Xls.Malware.Generic-9025118-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Generic-9025118-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • External hyperlinks (6) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 6 external hyperlinks — clickable URLs are stored as external relationships. First target: https://backlinkbuilder.io/
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.micr
    • http://schemas

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d62b7790ed82e137be7df7cb7c14f49c7ffbd7f87b00228affa0b477cd67242a		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6640 bytes
vbaProject_00.bin
c528e80c53c5d66b57cb3c3384383ccf248a43e95e2e69c749c766f5b0859ed6		 vba-project OOXML VBA project: xl/vbaProject.bin 1301504 bytes
Detection
ClamAV: Xls.Malware.Generic-9025118-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.