Office (OOXML) / .XLSX malware analysis — malicious · 1fbd2782371601ec

MALICIOUS

Office (OOXML) / .XLSX

749.6 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-03-22

MD5: c8d85dc303bc046c712c629b38e8d4f4 SHA-1: fc7ceaa11190f179ed142910e177c0b4ee7b36b0 SHA-256: 1fbd2782371601ec4a77f613b0eef88cb98c1a8535ffeb415facd2692036351b

122 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications

The file is an XLSX archive containing multiple Excel 4.0 macro sheets, identified as a critical heuristic. This indicates the file is designed to execute embedded macros, a common technique for delivering malware. No specific IOCs were extracted, but the presence of XLM macros suggests a downloader or initial access payload.

Heuristics 3

Excel 4.0 macro sheet (12 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX

OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.
Large OOXML part skipped info SCAN_INCOMPLETE

One or more high-value OOXML parts exceeded the scanner's per-entry size cap and may not have been fully inspected.

Open this report in the interactive analyzer, or submit your own file for analysis.