Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 1ea15c758618bb18…

MALICIOUS

Office (OOXML) / .XLSX

264.4 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-02-17
MD5: 5aefe480488b78b0d5191475f691191f SHA-1: a8fda04103b4d218d9515d68fdf6e4274b5bdb1c SHA-256: 1ea15c758618bb18d1d3f6911d9c7d356a154f273e1d8c4b5d5851bb3687c3da
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications

The sample is an XLSX file containing multiple Excel 4.0 macro sheets, indicated by the OOXML_XLM_MACROSHEET and OOXML_XLSB_INTL_MACROSHEET_IN_XLSX heuristics. ClamAV identified the file as Multios.Malware.Agent-9970808-0. While the specific macro code is heavily obfuscated and truncated, the presence of XLM macros strongly suggests an attempt to download and execute a secondary payload, a common technique for initial access.

Heuristics 4

  • Excel 4.0 macro sheet (13 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.
  • ClamAV: Multios.Malware.Agent-9970808-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Multios.Malware.Agent-9970808-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
ea06a8953b3a9ba04d3865efae4d5859773d9bdefc867b3f2871edae162a58a5		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 363 bytes
xlm_sheet_01.bin
50bc43abd185a42927ee43adbd4b8db25d62f4741404108aa88f7c8c2fb4181b		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin 776 bytes
xlm_sheet_02.bin
4e892487f9af4ff228732f13533387cfded5adafe268ac413d3ce8758b627a5c		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 2637 bytes
xlm_sheet_03.bin
d8f7c0dfb99d3b21db2d8321ca4457383dbdb02ec83349ffd8e5d78a917c7dc3		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.bin 1656 bytes
Detection
ClamAV: Multios.Malware.Agent-9970808-0
Obfuscation or payload: unlikely
xlm_sheet_04.bin
ef1881d622b9d949d1c108f9ca407429b9aba0561e0e2f3ef55d807e75160de4		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.bin 673 bytes
xlm_sheet_05.bin
96877df8d22e92d4fba5e61eb26031b2e9033801ac70b6ceacf982b3b2471789		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.bin 707 bytes
xlm_sheet_06.bin
0a270391e734c3cab9d718aedb0d3853ac33327b54717f9adea594e464d043d0		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.bin 826 bytes
xlm_sheet_07.bin
5735eea820db93e2d1cc8ac0c5664b6604916e79f5cf07589f20c7c0f7f3f9ae		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.bin 552 bytes
xlm_sheet_08.bin
db67694c3a69d8c5ec6b308472cf4843ce36a58f021fc3dbfb1711f2fd8faef7		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.bin 483 bytes
xlm_sheet_09.bin
9404b45a3bda56d5d118ae02bb78d0081df90f15d34ff4d8fb5a64e7c9e9cb53		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 875 bytes
xlm_sheet_10.bin
855aef3f6ebdc2b03750a1539f7610ea13ec551ce449f5e3b99c7190fb41b0f8		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 780 bytes
xlm_sheet_11.bin
c84ec331e7fd7b4ca513983c9f0f80dd3f3ff904f18716d8daa2119b913453a9		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 859 bytes
xlm_sheet_12.bin
61dcf4307e1b88bb124a024cf4181495210e853042b5805b040d16b7fb925c75		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.bin 679 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.