Office (OOXML) / .XLSX malware analysis — malicious · 2e163920ee4d3d92

MALICIOUS

Office (OOXML) / .XLSX

84.4 KB Created: 2020-05-21 11:42:43 UTC Authoring application: Microsoft Excel 16.0300

MD5: b134512738d5749e0dd7bacbcb6974fa SHA-1: 5e48879ce082ce56eea982a96907af3c30a6c607 SHA-256: 2e163920ee4d3d92d950bd53b9ac08c194e4e793541fa79ce43046abe12f4820

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1059.005 Visual Basic for Applications

The file is an Excel spreadsheet containing Excel 4.0 macros. These macros are designed to download and execute a payload. Specifically, the macros appear to use certutil.exe to decode content from 'C:\Users\Public\ngs.txt' into 'C:\Users\Public\ngs.dll', and then execute this DLL using 'rundll32.exe'. This indicates a downloader or droppper functionality.

Heuristics 2

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `7aa4187706b7003a52de6699ad5a674e6d1dfb6921f74ab806ef136961c522e6`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2610 bytes
`vbaProject_00.bin` `ab1eecd2904ab7cc20a5eddeb0e19f5994e615070f692151893849a977a80116`	vba-project	OOXML VBA project: xl/vbaProject.bin	23040 bytes
`xlm_sheet_00.bin` `91584f8b7198b7bae7adecb1a951f16fb90cd0236df4f5761b76b446784c8b5f`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	1903 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.