Office (OOXML) / .XLSM malware analysis — malicious · ee03206e57bdd96f

MALICIOUS

Office (OOXML) / .XLSM

172.7 KB Created: 2021-03-22 13:16:47 UTC Authoring application: Microsoft Excel 15.0300

MD5: f51b8b73a5167dc3b2a8380176618717 SHA-1: 795cf999d645ff7a65821d7ed0b24036a41939a8 SHA-256: ee03206e57bdd96ff08080ed9412162e27778352872498afab99e08cde687097

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1218.011 Signed Binary Proxy Execution: Rundll32

The critical heuristic 'OLE_VBA_WMI_PROCESS_CREATE' indicates that the VBA macro attempts to execute a process using WMI. The presence of a Workbook_Open macro suggests automatic execution upon opening the document. The VBA code likely downloads and executes a second-stage payload, as suggested by the 'EXTRACTED_FILE_STATIC_TRIAGE' heuristic which noted VBA Chr string obfuscation. No specific family could be identified, and no direct IOCs like URLs or hashes were extracted.

Heuristics 5

VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `42039c769164df2dad4e03d29b0922d2a77b3134344230b26270610b1b4ea0ec`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	7857 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 16 Chr/ChrW string-construction calls.
`vbaProject_00.bin` `02eef8ba5dcc94f05bf868a0858a4eb335e56312e81ef788bce1a013e544447f`	vba-project	OOXML VBA project: xl/vbaProject.bin	61440 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.