Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 2f92ba4f612f74dd…

MALICIOUS

Office (OOXML) / .XLSX

32.3 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300
MD5: 361f29bb4ed1d533b13be8ff57b4f5a4 SHA-1: 63381a18b3537980b43570e6f2afe954a7f115f8 SHA-256: 2f92ba4f612f74dd23d7d121ad35aa6e1fc23c86f7904f51783a4a1e06f32b22
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Service Execution: Visual Basic T1204.002 Malicious File: User Execution: Malicious File

This XLSX file contains an Excel 4.0 macro sheet, which is a known vector for malware delivery. The heuristics indicate the use of dangerous XLM functions like REGISTER, which can be used to download and execute arbitrary code. The presence of hidden sheets further suggests an attempt to conceal malicious activity. No specific URLs or executable content were directly extracted, but the macro sheet's functionality points to a downloader or initial execution stage.

Heuristics 4

  • Dangerous XLM formula APIs: REGISTER, HALT, RETURN critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • Excel 4.0 macro sheet (1 sheet(s)) high OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 5 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
71838ddcadfb5a313886a27570f96beb1572632af952382383b3701aed46cc2d		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 63795 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.