Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 12bbd7661b6fd48f…

MALICIOUS

Office (OOXML) / .XLSX

62.9 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 16.0300
MD5: d091fb57338164acff3bd648a1782fd9 SHA-1: ca63bade67055580f6be380cd41bb98affd5de49 SHA-256: 12bbd7661b6fd48f3552101588625bde0709dd68b28a0677d000a02389e3b812
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is an Excel spreadsheet containing two Excel 4.0 macro sheets. These macros are known to be capable of executing arbitrary commands, which is a common technique for downloading and executing further malicious content. No specific family could be identified, but the technique suggests a downloader or initial access payload.

Heuristics 1

  • Excel 4.0 macro sheet (2 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
61c86c6d83897319106ad1111b11750170a262e822e92dd4132e2d216c1b3436		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 1284 bytes
xlm_sheet_01.bin
c3b8db8f1200fbfa8d0fd068f7e0793a50b78e7cfbdd9a4987503d7a9bda3e74		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 1169 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.