Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 f9154e1d0766f4d3…

MALICIOUS

Office (OOXML) / .XLSM

285.9 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 16.0300
MD5: da9395e135c70b8ec3acc82c671250aa SHA-1: be02bf8399ea737e370d3f0e34c901647dd88e5a SHA-256: f9154e1d0766f4d3c6a1724cdb6f95966d2536f638bd9c61f7e57d47aee5ba6d
230 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

This XLSM file contains VBA macros, indicated by the OOXML_VBA heuristic. The presence of CreateObject and CallByName calls suggests dynamic execution of code. ClamAV detections (Xls.Dropper.Agent-8802594-0) confirm its malicious nature. The embedded URLs are malformed but indicate a potential attempt to fetch additional content or redirect the user. The document body contains financial-looking data, possibly a lure.

Heuristics 8

  • ClamAV: Xls.Dropper.Agent-8802594-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-8802594-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • External hyperlinks (4) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 4 external hyperlinks — clickable URLs are stored as external relationships. First target: https://www.quora.com/profile/Alok-Jha-43
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.micr
    • http://schemas.microso�
    • http://schemas

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
9b57c7e4bdfc2acdfbf82a4d62a725b561debe9b089aac4e9619f767cf8cdf3a		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3680 bytes
vbaProject_00.bin
fad30b1adce154b10cff417f72cebd927d675d181e52b66e9a2c3b151890a9ab		 vba-project OOXML VBA project: xl/vbaProject.bin 678912 bytes
Detection
ClamAV: Xls.Dropper.Agent-8802594-0
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.