Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 1d66dd1c1693ce08…

MALICIOUS

Office (OOXML) / .XLSM

155.2 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 14.0300
MD5: a30f49b2c63b5ff5025a7a46e7ee4821 SHA-1: 9a68c78a5311e7e77b6bd6ba21bdd92bd1c90f8d SHA-256: 1d66dd1c1693ce08aea4f043c59079e8053bbd916f00eccab1d074b334a5a1a9
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File T1071.001 Web Protocols

The sample is an XLSM file containing Excel 4.0 macros, indicated by multiple critical heuristic firings. The macros utilize dangerous functions like FORMULA.FILL and FORMULA, which are known to be used for downloading and executing payloads. The presence of embedded URLs pointing to external domains strongly suggests a downloader or droppper functionality, aiming to fetch and run a second-stage malicious artifact.

Heuristics 4

  • Excel 4.0 macro sheet (4 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA.FILL, FORMULA, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL https://ecology-japan.com/nHi2nZU1fqyM/gg.html
    • https://jjcart.net/TQuC4kcg/gg.html
    • http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
6396b663a4fd54b7f58c0a9133692e01e530055da80fd936b10721f3c7989126		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 1503 bytes
xlm_sheet_01.xml
8d10f47fc333f48ab24da329bc50acbf5ad96dbffc855723427f6dda1fd22b94		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 1525 bytes
xlm_sheet_02.xml
3534428ae04c8748b30395c535d82383fafebe35201b605b4b184928cd71445b		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 11306 bytes
xlm_sheet_03.xml
116442751b27cac0ac22dfe8ef12d959cf127fb14d16558c667e52c97787bca2		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 1099 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.