Office (OOXML) / .XLSM malware analysis — malicious · e92b19cb2f281114

MALICIOUS

Office (OOXML) / .XLSM

384.3 KB Created: 2021-02-15 19:29:50 UTC Authoring application: Microsoft Excel 16.0300

MD5: a0c7963611e48a1d9ee3d36eb238eff0 SHA-1: f56037fef79c9dfc497f863aafc388a4800cb04e SHA-256: e92b19cb2f281114eb2db737edd370bcf7d5ea35e84f07976d8d680abdb7d654

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The presence of a Workbook_Open macro indicates that malicious VBA code is designed to execute automatically when the document is opened. The NOP sled heuristic suggests potential shellcode or exploit code within the VBA project. The GetObject call is often used in conjunction with VBA to load and execute external components. Without further script analysis or network indicators, the exact payload and delivery mechanism remain unclear, but the intent is clearly malicious execution via macro.

Heuristics 4

NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `f437fabc8c105df57b930d613fa9833907502b8d76bbbab706cf64697706d2b9`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	3179 bytes
`vbaProject_00.bin` `0001b2e8db2b405c370c03ce29f8923a42104e739417d7fcfdd41d982a342c2f`	vba-project	OOXML VBA project: xl/vbaProject.bin	15872 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.