Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 13a2e29286f57825…

MALICIOUS

Office (OOXML)

3.22 MB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-12-26
MD5: d5eabddf0e3e119902956684d52261ce SHA-1: 43dcccd4269124ffe5a75bcdf854c62efee51e44 SHA-256: 13a2e29286f578253ae2ae16bb25b6ae1ffcf16421b170a79de5b6bbcae73aea
180 Risk Score

Heuristics 3

  • Excel 4.0 macro sheet (1 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS
    Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.