Office (OOXML) / .XLSX malware analysis — malicious · 2d75cc20eef1dc72

MALICIOUS

Office (OOXML) / .XLSX

89.8 KB

MD5: 2e5ba6f379de18b684d20ddfcddb9298 SHA-1: 239d1306f759065f4531370cab3f3ad2de04cd9c SHA-256: 2d75cc20eef1dc72fee0d3b3ff5a261a2d0bbdb6eb363bfae4a016c922f97e20

68 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is an Excel file containing Excel 4.0 macros, indicated by the 'OOXML_XLM_MACROSHEET' heuristic. The extracted macro content, though partially obfuscated, suggests an attempt to execute commands, potentially by writing to or referencing the file path 'C:\ProgramData\excel.rtf'. This indicates a macro-based attack pattern aimed at executing arbitrary code.

Heuristics 2

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Malformed OOXML local headers contain an Excel 4.0 (XLM) macro sheet. XLM was a major Office malware vector during 2020-2022 and is rarely used in modern legitimate workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
Malformed OOXML package with recoverable local headers low OOXML_MALFORMED_ZIP_LOCAL_HEADERS

The OOXML ZIP central directory is invalid or missing, but local file headers expose a recoverable Office package. This can create parser divergence between tolerant Office/ZIP readers and scanners that rely only on the central directory.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_11.bin` `e1a4ee2616711f4b6aea3573c28b735c42782090d01143157ee35e949e14fc14`	xlm-macrosheet	Malformed OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	271635 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.