Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 2281687f22fcb5f1…

MALICIOUS

Office (OOXML) / .XLSX

1.16 MB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-04-08
MD5: 6776769a08f3e1c58a8e90fe167a76fa SHA-1: c5ac470bfaf9cc4621f3149215a9e4d75a08fe05 SHA-256: 2281687f22fcb5f1cbf39a5cfa2ee3b9e6bbc04eccddaf6907f23ce456e2618e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is an XLSX document containing multiple Excel 4.0 macro sheets. These macros are known to be used for arbitrary code execution, often to download and run further malicious content. While the specific macro commands are heavily obfuscated and truncated in the provided excerpts, the presence of these macro sheets strongly indicates a malicious intent. No specific family could be identified, and no direct IOCs like URLs or hashes were extracted from the macro content.

Heuristics 2

  • Excel 4.0 macro sheet (4 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
emf_00.emf
36bcdb650f3335661fd30903e4ddbb92ac947513ed380f203fccc03424ff9fe4		 ooxml-emf OOXML EMF part: xl/media/image1.emf 6145428 bytes
xlm_sheet_00.bin
44e1c910560c290cf1fe3eb0d0256a21f957a1765ea926de110b1985b1f72819		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 1717 bytes
xlm_sheet_01.bin
ec25b05dca7aaeaed79bb62fb6411ee9f85904d5e8709aa43d05d83ea361677c		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin 792 bytes
xlm_sheet_02.bin
f0a9425b8507f47d4bffbfc9986e6f77a1eec5a7b094745fec3307154c314949		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 402 bytes
xlm_sheet_03.bin
7b780847888f3179b9a2306b1d9dd4b22d991fb4b1641b18d3184a5b6ac9038f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 322 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.