Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 20b31f3343d80565…

MALICIOUS

Office (OOXML) / .XLSX

123.8 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: c31beb9f44aad727a9696178cb8b1a58 SHA-1: 38d05e3d1b05baaf85721061640283263b3917df SHA-256: 20b31f3343d8056522a54e84e187c6e8502ab5b46cd663a610bc786ab21f9d59
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications

The file is identified as malicious by ClamAV with the signature Xls.Downloader.GreenOffice01223-9937701-0. Static analysis revealed the presence of multiple Excel 4.0 macro sheets within the XLSX file. These macros are indicative of a downloader, likely intended to fetch and execute a secondary payload. The exact download URL or execution commands could not be definitively reconstructed due to the obfuscated nature of the macro content.

Heuristics 3

  • Excel 4.0 macro sheet (8 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.
  • ClamAV: Xls.Downloader.GreenOffice01223-9937701-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.GreenOffice01223-9937701-0

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
601e373374d41fdd36dd907ce4e8dc0dc0e62d3cf33bbc6cf8c27500b3b2183f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 428 bytes
xlm_sheet_01.bin
789c86435dced37b9809e0d14afad4ae4bec773ba94488e1a402ea2607098acf		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet7.bin 428 bytes
xlm_sheet_02.bin
75546976956b41175dda83afb5dd2f36972a4c8ee8479a35e3c993561a13e40f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 2080 bytes
xlm_sheet_03.bin
fa2cdb3f36be3e136711bb0f17877a81a3075c3aa1f9577263203e20e17563b6		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 428 bytes
xlm_sheet_04.bin
3a4f7457134bada0037c22b38f7a80bf2ab71f1bea3b2529ecec0ec1f8c4a567		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 428 bytes
xlm_sheet_05.bin
9503a7e1b54a411a5384744a0235d0aa88ebdfcc1d955d8bb046efd02166e80e		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet6.bin 428 bytes
xlm_sheet_06.bin
d467663aa96d2dc4437dcdc2fe587f90ebd44488e841fa9404c0820dcc29eda3		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 428 bytes
xlm_sheet_07.bin
81cd2db898416c2ec8e340d66f358552cf450627a515990768e25ebfeee99983		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet5.bin 428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.