Office (OOXML) / .XLSX malware analysis — malicious · 27180043ebeb8f2a

MALICIOUS

Office (OOXML) / .XLSX

63.1 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 16.0300

MD5: 276bf3db434b887bb77adca0bd46e130 SHA-1: eee2be9136f2c70a28b6ca5289e73e2a38453da2 SHA-256: 27180043ebeb8f2aa8728c5ee020fb5368be3df4e9008b8f01242bf82d5780ce

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is an Excel spreadsheet containing embedded Excel 4.0 macro sheets. These macros are designed to execute arbitrary commands, a common technique for initial compromise. No specific family could be identified, and no external IOCs like URLs or hashes were extracted.

Heuristics 2

Excel 4.0 macro sheet (2 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX

OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `bf6be599b94d52e942b2ffec1b55f53bc5824bdebd69afcc74814ae03780a1c6`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin	1610 bytes
`xlm_sheet_01.bin` `bc3dcf4383725e2488e40dec5ccae3bbfdd4d3c9133e08144fc0d071bf9bc52d`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin	617 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.