Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 f8bcbdcee35ecafe…

MALICIOUS

Office (OOXML) / .XLSM

78.3 KB Created: 2020-06-17 09:50:40 UTC Authoring application: Microsoft Excel 16.0300
MD5: d4699d9968af7be6602db7debab17012 SHA-1: 979725178c6e0b5cfb6c54db508c52135db3b383 SHA-256: f8bcbdcee35ecafe53c58b8a35bf93db799e7a42136ecb7332d636745744c400
328 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

This XLSM file contains VBA macros that utilize Shell() and CreateObject() calls, indicative of executing external commands or scripts. The presence of 'macros.bas' and 'vbaProject_00.bin' alongside ClamAV detections ('Xls.Dropper.Agent-8149513-0') strongly suggests the macro's purpose is to download and execute a second-stage payload. The heuristic 'OOXML_DOWNLOAD_SHAPE' further supports a social engineering lure to trick users into enabling macro execution.

Heuristics 8

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • ClamAV: Xls.Dropper.Agent-8149513-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-8149513-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Call-to-action shape / download button low OOXML_DOWNLOAD_SHAPE
    Document drawing contains a call-to-action phrase ('Click Here', 'Download Now', etc.) inside a shape or text box — a common visual lure used to trick users into enabling macros or visiting a malicious URL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
9522bd5e66ee0867adea1a94311c48897356f2b09da1bf2f215466004be4e0b0		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1010 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
vbaProject_00.bin
4053af92ac9547df8206d6dc9ced5361fb428a0044744b85d9020c2e2d5b790f		 vba-project OOXML VBA project: xl/vbaProject.bin 10752 bytes
Detection
ClamAV: Xls.Dropper.Agent-8149513-0
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
emf_00.emf
20a3d436f82619f5a04fc910b565a81ef21f083037a9588f967b2832dafc76f5		 ooxml-emf OOXML EMF part: xl/media/image1.emf 2368 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.