Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 1b6fc736726745e4…

MALICIOUS

Office (OOXML) / .XLSX

155.4 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 0d17b19ea324d2ae08a0473e98498bfc SHA-1: 2f11fa59b4d2c64863881e8084c15c89da09c190 SHA-256: 1b6fc736726745e4d745f373d11ab661bd27db662a6e833b21678c193c06a88c
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an XLSX file containing multiple Excel 4.0 macro sheets, as indicated by the OOXML_XLM_MACROSHEET and OOXML_XLSB_INTL_MACROSHEET_IN_XLSX heuristics. The ClamAV detection of 'Multios.Malware.Agent-9976565-0' further confirms its malicious nature. The extracted macro content is heavily obfuscated and truncated, preventing a detailed analysis of its specific actions, but the presence of XLM macros strongly suggests an attempt to execute arbitrary code.

Heuristics 3

  • Excel 4.0 macro sheet (8 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.
  • ClamAV: Multios.Malware.Agent-9976565-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Multios.Malware.Agent-9976565-0

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
707286be3adee4bb71706f8e33eac4a00ad4798a09b9bc4fcbd508421d42eae3		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 2510 bytes
xlm_sheet_01.bin
0b8d1b0cc3345e3192eb316418df0abd4df1724dfc6e89f9b797a3ec3a116666		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 428 bytes
xlm_sheet_02.bin
95d18ab8a52ff07f733f6525755497dd373c751fc75f66c9e44a97e72249199e		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 428 bytes
xlm_sheet_03.bin
5876bf754443358f21831ded50530fcd64321936ac6276ae052b2274ea7edbdf		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 428 bytes
xlm_sheet_04.bin
9ef2819a4f98b9d5f46d61a3b25b15046bac14401ac6aa7b8d5dc8ab2d6a1043		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 428 bytes
xlm_sheet_05.bin
ac7e512cb4697c7e43c1017c71ac40a12178782019e95f0eacb17164c3a6f458		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet5.bin 428 bytes
xlm_sheet_06.bin
04cdb45608f4bf92cacbb735a550851e04e343a904396de0a400f4f175e8b868		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet6.bin 428 bytes
xlm_sheet_07.bin
dfb7483e4d4cec3b9ad215a6a4c6f8b61715de3f3ca2d1c76723a9709ece4e4b		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet7.bin 428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.