Office (OOXML) / .XLSM malware analysis — malicious · e9809731d9e5e64f

MALICIOUS

Office (OOXML) / .XLSM

40.0 KB Created: 2020-10-14 10:42:05 UTC Authoring application: 16.0300

MD5: c0b0bbb4d93629f2cecbc7e36dfe4ca7 SHA-1: 51223af0138d7cc190588e760b176426f8ab7483 SHA-256: e9809731d9e5e64f02f94fe70747049f46d8cb476a2e1337f0114a5edc120d87

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The critical heuristic 'OLE_VBA_ACTIVEX_XLM_STAGER' indicates that the VBA code is designed to execute Excel 4.0 macros. The VBA script 'macros.bas' contains obfuscated code that decodes and concatenates a long string of URLs. This string is then used to download and execute a second-stage payload. The reconstructed URL string is a primary indicator of the download mechanism.

Heuristics 2

VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `12e86fddf2a1edca3ad5f266b52f61d8a6c56429cfec9635afa2d960c9bc51e1`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1993 bytes
`vbaProject_00.bin` `6dc2ce12bcc3f8a329063bb8d6c87e4ba267a2377085d63482283977f897f2d4`	vba-project	OOXML VBA project: xl/vbaProject.bin	19968 bytes
`emf_00.emf` `1edf3af5b8612b5fc04d03267fe21578c963ef1a54967a99410d410fd80a7936`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	1272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.