Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 f2fbccfe10a70a5c…

MALICIOUS

Office (OOXML) / .XLSX

470.7 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel First seen: 2026-06-13
MD5: 9ecf42dbbea3585c7a98c3efcc6fd325 SHA-1: 63d28cf119f1141d72c847aa02a4b4d1b88f15b0 SHA-256: f2fbccfe10a70a5c3353a1fa5a591736dee4d53789bda411338a108e3cc2e8c5
228 Risk Score

Heuristics 6

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
       Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
            S.write H.Responsebody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
            Set H = CreateObject("Microsoft.XMLHTTP")
  • VBA downloader reads URL from worksheet cell high OOXML_VBA_DYNAMIC_CELL_URL_SOURCE
    OOXML workbook contains VBA that reads a worksheet cell into a URL variable and passes it to a download API such as Microsoft.XMLHTTP.Open or URLDownloadToFile, but the stored cell value does not contain an extractable external URI. This is a dynamic URL source rather than a missed literal IOC.
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3475 bytes
SHA-256: 2e12b22f9afb5f62e4b239118388b0b1a9fee6ddea17fc9c9490ecb5977159ba
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "模块1"
#If Win64 Then
   Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
    Public Declare PtrSafe Function DeleteUrlCacheEntry Lib "wininet" Alias "DeleteUrlCacheEntryA" (ByVal lpszUrlName As String) As Long
    Declare PtrSafe Function DeleteFile Lib "kernel32" Alias "DeleteFileA" (ByVal lpFileName As String) As Long
#Else
    Private Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
    Public Declare Function DeleteUrlCacheEntry Lib "wininet" Alias "DeleteUrlCacheEntryA" (ByVal lpszUrlName As String) As Long
    Declare Function DeleteFile Lib "kernel32" Alias "DeleteFileA" (ByVal lpFileName As String) As Long
#End If

Sub Auto_Open()

    Set Rng = Range("G4")
    Rng.Value = Trim(Rng.Value)
    If Len(Rng.Value) > 0 Then
        Dim nUrl As String, localFilename As String, lastname As String, lngRetVal As Long
        nUrl = Rng.Value
        If (InStr(nUrl, "?") > 0 And InStr(nUrl, "Expires") > 0 And InStr(nUrl, "OSSAccessKeyId") > 0 And InStr(nUrl, "Signature") > 0) Then
            lastname = Mid(nUrl, InStrRev(nUrl, ".", InStrRev(nUrl, "?")), (InStrRev(nUrl, "?") - InStrRev(nUrl, ".", InStrRev(nUrl, "?"))))
        Else
            lastname = Mid(nUrl, InStrRev(nUrl, "."))
        End If
        
        localFilename = ThisWorkbook.Path & "\gep" & lastname
        'lngRetVal = URLDownloadToFile(0, nUrl, localFilename, 0, 0)
        
        'If lngRetVal = 0 Then
        '    DeleteUrlCacheEntry nUrl
        'End If
        Dim H, S
        Set H = CreateObject("Microsoft.XMLHTTP")
        H.Open "GET", nUrl, False
        H.send
        Set S = CreateObject("ADODB.Stream")
        S.Type = 1
        S.Open
        S.write H.Responsebody
        S.savetofile localFilename, 2
        S.Close
        
        With ActiveSheet.Pictures.Insert(localFilename)
            If ((.Height / .Width) > ((Rng.Height / Rng.Width) * 5)) Then
                .Top = Rng.Top
                .Left = Rng.Left + (Rng.Width - .Width * Rng.Height * 5 / .Height) / 2
                .Width = .Width * Rng.Height * 5 / .Height
                .Height = Rng.Height * 5
            Else
                .Left = Rng.Left
                .Top = Rng.Top + (Rng.Height * 5 - .Height * Rng.Width / .Width) / 2
                .Height = .Height * Rng.Width / .Width
                .Width = Rng.Width
            End If
        End With
        Rng.Value = ""
        DeleteFile localFilename
    End If
End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "模块2"
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 23552 bytes
SHA-256: d395ebd29c5734216dcc76d904e190cb0f2657f10063083e1a0410201b26b0d2

Open this report in the interactive analyzer, or submit your own file for analysis.