Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 1211cef85d22e4b7…

MALICIOUS

Office (OOXML) / .XLSX

156.3 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 16.0300
MD5: 7101d7323759a9a42961f71688c606ea SHA-1: dac3cb6f4f52e131f4b159c4ccfb5f1fed4ddd5c SHA-256: 1211cef85d22e4b7206ff68dfa8de50089ee4ea713840030e81ebbb422e9cb58
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains Excel 4.0 macros, indicated by the OOXML_XLM_MACROSHEET heuristic. The OOXML_XLM_REASSEMBLED_PAYLOAD heuristic suggests these macros are used to construct and execute a payload, likely by downloading a second-stage artifact from the embedded URL. The specific content of the macros is heavily obfuscated and truncated, preventing a more detailed analysis of the execution flow.

Heuristics 2

  • Excel 4.0 macro sheet (3 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOAD
    An Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
bab58cc6eb5e3215c02176182aff648346321f94b587b7311450429e781e5ac3		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 6579 bytes
xlm_sheet_01.bin
a9aefe05242b4b709b983db43606513132c5fdb5410b122800b2a9cbb0d5bc1f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin 1469 bytes
xlm_sheet_02.bin
8929c5eb942d2dda70c9d90f954cd2eccc32d7245e347d0d105c83041e73986d		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.bin 3937 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.