SOC138 โ Suspicious XLSM File Detected (Malicious Macro-Based Infection)
by
๐ง Summary
This investigation was triggered by a SOC138 โ Detected Suspicious XLS File alert involving a macro-enabled Excel document (ORDER SHEET & SPEC.xlsm).
Threat intelligence confirmed that the file contains heavily obfuscated macros designed to execute malicious code. Behavioral indicators suggest exploitation techniques and payload execution.
Network logs further revealed suspicious outbound communication, confirming that the file was actively used in a malware infection scenario.
The affected host was immediately contained.
๐จ Alert Overview
- Event ID: 77
- Rule: SOC138 โ Detected Suspicious XLS File
- Severity: Medium
- Source Host: Sofia
- Source IP: 172.16.17.56
- User: Sofia2020
- File Name: ORDER SHEET & SPEC.xlsm
- File Hash (SHA256):
7bcd31bd41686c32663c7cabf42b18c50399e3b3b4533fc2ff002d9f2e058813 - File Size: 2.66 MB
- Action: Allowed
๐ฅ๏ธ Endpoint Information
- Hostname: Sofia
- Operating System: Windows 10 (64-bit)
- Domain: LetsDefend
- Primary User: Sofia2020
- Containment Status: โ Contained
๐ File Analysis
๐ VirusTotal Results
| Result | Value |
|---|---|
| Detection Ratio | 48 / 66 |
| Verdict | Malicious |
๐งฌ File Characteristics
- File Type: Excel Macro-Enabled File (.xlsm)
- Behavior Tags:
- macros
- obfuscated code
- auto-open execution
- run-dll / WMI calls
- exploit behavior (CVE-2017-11882)
- payload execution
๐ง Analysis
- High detection rate โ confirmed malicious file
- Obfuscation โ attempts to evade detection
- Macro execution โ primary infection mechanism
- CVE reference โ potential exploitation of known vulnerability
๐ Network Analysis
| Attribute | Value |
|---|---|
| Source IP | 172.16.17.56 |
| Destination IP | 177.53.143.89 |
| Port | 443 |
| Protocol | HTTPS |
๐ง Analysis
- Suspicious outbound connection detected
- Encrypted traffic โ possible C2 communication
- No legitimate business justification observed
๐ Log Analysis
๐ Raw Log Insight
- Data appears:
- Encoded / obfuscated
- Non-human readable
๐ง Interpretation
- Likely:
- Encoded payload
- Encrypted communication
- Malware staging activity
๐ก๏ธ Affected Host Contained
๐ Behavioral Indicators
| Indicator | Status |
|---|---|
| Malicious File Detected | โ Confirmed |
| Macro Execution | โ Confirmed |
| Obfuscation | โ Present |
| Exploit Usage | โ Suspected (CVE-2017-11882) |
| External Communication | โ Confirmed |
| Host Compromise | โ Confirmed |
๐งพ Investigation Steps
- Reviewed alert details and suspicious XLSM file
- Checked file hash in VirusTotal
- Confirmed high detection ratio (48/66)
- Analyzed macro behavior and obfuscation
- Identified exploit-related indicators
- Investigated firewall/network logs
- Detected suspicious outbound communication
- Analyzed raw log data (encoded payload)
- Contained the affected host
๐จ Incident Response Actions
- โ Host isolated / contained
- โ Malicious file identified
- โ Threat intelligence validated
- โ Network indicators identified
- โ Logs preserved for further analysis
๐งฌ MITRE ATT&CK Mapping
| Tactic | Technique | Description |
|---|---|---|
| Initial Access | T1566.001 โ Phishing Attachment | Malicious Excel file delivery |
| Execution | T1204.002 โ User Execution | User opened XLSM file |
| Execution | T1059.005 โ Command Execution via Macros | Macro execution |
| Exploitation | T1203 โ Exploitation for Client Execution | CVE-2017-11882 |
| Defense Evasion | T1027 โ Obfuscated Files | Obfuscated macro code |
| Command & Control | T1071.001 โ Web Protocols | HTTPS communication |
| Impact | T1105 โ Ingress Tool Transfer | Payload delivery |
๐ Final Verdict
| Category | Result |
|---|---|
| Malware Presence | Confirmed |
| File Type | Malicious XLSM (Macro-based) |
| Infection Method | Macro Execution |
| Exploit Involvement | Likely (CVE-2017-11882) |
| Command & Control | Suspected |
| Host Compromise | Confirmed |
| Alert Classification | True Positive |
| Incident Severity | High |
๐ Conclusion
This alert represents a confirmed macro-based malware infection delivered via an Excel document.
The file utilized:
- Obfuscated macro code
- Auto-execution techniques
- Possible exploitation of known vulnerabilities
Network activity confirmed communication with an external system, indicating potential command-and-control interaction or payload delivery.
Immediate containment was required to prevent:
- Lateral movement
- Data exfiltration
- Further malware execution
tags: