Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 e95a5072b5ea6d83…

MALICIOUS

Office (OOXML) / .XLSX

66.6 KB Created: 2012-10-19 22:33:57 UTC Authoring application: Microsoft Excel 12.0000
MD5: f15cb85951ccdddc8f97651935b558c1 SHA-1: 7212d262ce8063b8c9fac74d9383550762b23369 SHA-256: e95a5072b5ea6d8392293d20e71ff452e9863200d786e8c80d65c5f01d14e768
208 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1218 System Binary Proxy Execution

The critical heuristic 'LOLBin reference in VBA' combined with the high-severity 'Workbook_Open macro' and 'CreateObject call' firings indicate that this Excel file is designed to automatically execute malicious VBA code upon opening. The script attempts to create a file in the ALLUSERSPROFILE directory and uses CreateObject to instantiate COM objects, suggesting it is preparing to download and execute a second-stage payload. The script's obfuscation and truncation prevent a full understanding of its ultimate goal, but the intent to download and execute is clear.

Heuristics 6

  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
788e9a7d7c14c71fee978fdbf13dd79154a45aa8ba78a9cd9157ce915d746bc8		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3607 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.
vbaProject_00.bin
6ab9b9087518cd106bbc3511ae9dde4db6a248b4d6d70b422ca5b5136f79cb0c		 vba-project OOXML VBA project: xl/vbaProject.bin 16896 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.