Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 e5e65b70b5497f14…

MALICIOUS

Office (OOXML) / .XLSX

67.2 KB Created: 2001-04-16 18:40:12 UTC Authoring application: Microsoft Excel 16.0300
MD5: c123363068a4651c9c0c6b4e01b35142 SHA-1: 8de437d8df29c53e9ebb03a797fdbf805c10429a SHA-256: e5e65b70b5497f146609db5c086e997a4b0ab2352b534c9e25d8a10407801d78
302 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

This XLSX file contains a Workbook_Open macro that is triggered automatically when the document is opened. The macro references PowerShell and cmd.exe, and uses WMI to launch processes, indicating it's designed to execute arbitrary commands. The presence of a Base64 decoding function within the VBA code suggests obfuscation to hide the actual payload. The primary intent appears to be downloading and executing a second-stage payload from an external source, facilitated by the macro's execution capabilities.

Heuristics 8

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/drawingml/2006/spreadsheetDrawing
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/main
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f0dff347b30dac966d7e7eda5a2e0a6d510e955fc81789cd77d1ac0c8ffa3881		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 119045 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
4ffa09e9909a2a8285aebab9e6679e97d24edd9fab2f2c971f1f765364d34d1b		 vba-project OOXML VBA project: xl/vbaProject.bin 27648 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.