Office (OOXML) / .XLSX malware analysis — malicious · 2d95163ef2732027

MALICIOUS

Office (OOXML) / .XLSX

203.0 KB Created: 2021-03-16 13:14:06 UTC Authoring application: Microsoft Excel 16.0300

MD5: 328069f858de002f5bfe248dbba0d96d SHA-1: 70f5fd7b163dae1d627a4278462cc7991d5f9b77 SHA-256: 2d95163ef2732027615c7c98438da5401e1892707a104d18d703698a17be0806

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The critical heuristic firing indicates an Excel 4.0 macro sheet, which is often used for malicious purposes. The embedded macro content, when partially reconstructed, reveals strings that suggest downloading and executing a file from the URL 'http://gogodark.xyz/cam/g/g/h4gf.dll'. This indicates a downloader or droppper functionality.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `5527b28a0e3e81c54d4caac65a095d45378bdea9648d2c2842fd19a57703e6e4`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	2556 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.