Office (OOXML) / .XLSM malware analysis — malicious · fd122bb7c77aa94b

MALICIOUS

Office (OOXML) / .XLSM

9.4 KB

MD5: 7e27910f97733931fad7e00a2f17f96a SHA-1: 4f4f946bd6e27251100aaf5a1c77b08b8d2173bf SHA-256: fd122bb7c77aa94b6919cdf4da57d5c1056efc4fb03a645cff6daa32428c9e41

62 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file is an XLSM document containing VBA macros, which is a common delivery mechanism for malware. The heuristic firings indicate the presence of VBA macros with execution terms and an embedded URL. The embedded URL points to an executable file, suggesting the macro's purpose is to download and execute this payload.

Heuristics 3

Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.

URL http://wibon.co.id/wp-content/themes/expeded.exe

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `32cdd51a436162a9909e90be8cb7f7e67fee8cc22c32276d2b2faf7d2ff12c2d`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	3164 bytes
`vbaProject_00.bin` `2b28e011ee73998093fa1b32d7137f79fcc396f94b18296d998aff4f43dc7631`	vba-project	OOXML VBA project: xl\vbaProject.bin	11776 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.