Office (OOXML) / .XLSX malware analysis — malicious · 2706791cbc86af00

MALICIOUS

Office (OOXML) / .XLSX

184.4 KB Created: 2021-10-27 10:31:49 UTC Authoring application: Microsoft Excel 12.0000

MD5: a4cb6feb656fc63c0156568101c53c63 SHA-1: b3db6dd7722226c3e29fdda7746632a81a479531 SHA-256: 2706791cbc86af00c760f73ee7fb11f3cc338b3e7d65d4edcff469cda30169f4

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The critical heuristic firing indicates the presence of Excel 4.0 macros within the XLSX file. The extracted macro content, though partially truncated, shows evidence of attempting to execute commands and manipulate file paths, specifically referencing 'C:\ProgramData\excel.rtf'. This suggests the macro's purpose is to download and execute a second-stage payload from a remote source, which is a common technique for malware delivery.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `8a154820fdcd3338eef5ac234c4a860dab5ba6773252f7805c9ea000f8d83ca3`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	460364 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.