Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 2e37a0c7cb3d7fbf…

MALICIOUS

Office (OOXML) / .XLSX

96.9 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 71c4aae32789ec3e67a86291d3b566d9 SHA-1: c3c6967d29252e191c1f1846e4a3554bfa330214 SHA-256: 2e37a0c7cb3d7fbfa89377c3044bfc43a6365a33ed94cdf23287b09e52ebc004
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an XLSX file containing multiple Excel 4.0 macro sheets. These macro sheets are known to be used for malicious purposes, such as executing arbitrary code or downloading further payloads. The heuristics indicate the presence of these macro sheets, which is a strong indicator of malicious intent. No specific IOCs were extracted from the macro content itself due to its obfuscated nature.

Heuristics 2

  • Excel 4.0 macro sheet (7 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
c37fba766abd6d156918a643e026b438f9eb0eaa225c144756cd2a5c6fda4519		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 484 bytes
xlm_sheet_01.bin
22bba77ccfeebe8e5c4e883612c26774cb0b357b34f9b8f821432aab3ada7cb3		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet6.bin 484 bytes
xlm_sheet_02.bin
a54cfa9ba41e5598d383926a84d25941debd28f24c9934cba5a5f56d9097ca69		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 2076 bytes
xlm_sheet_03.bin
cc1fea1c5ed0ee9ba6377487e147436c2cdc066a48105c36d0aca3c1995417f4		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 484 bytes
xlm_sheet_04.bin
fc16eb2a62981f93b25a935d0a0fb49d33f90429021cb43f6e7f301424f17a92		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 484 bytes
xlm_sheet_05.bin
e1559372370dc0c7c16b816f71c2d5acc0e30cc8878cffe531ed647dae733bb2		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet5.bin 484 bytes
xlm_sheet_06.bin
1f384d37a830103e6e157bda73c1f5bba7a0a8db52a6ba5a8d8560d3886df131		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.