Office (OOXML) / .XLSX malware analysis — malicious · 355bd4ab760e12a6

MALICIOUS

Office (OOXML) / .XLSX

890.6 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 16.0300

MD5: 1633e606566e2524872966fcccadfbe1 SHA-1: 0f99554495993aeb2490a12aa7c60ec1fd5b6e37 SHA-256: 355bd4ab760e12a64d8350953492fbd23175d3deba2a3539bacf77df442dab60

322 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1218 System Binary Proxy Execution T1059.001 PowerShell

This XLSX file contains Excel 4.0 macro sheets, which are known to be used for malicious purposes. The macros utilize dangerous functions like CALL, EXEC, and FORMULA, which can be used to download and execute arbitrary code. The presence of API calls such as VirtualProtect, LoadLibrary, and GetProcAddress further indicates the intention to load and execute shellcode. No specific document body text was provided, making it difficult to determine the exact lure, but the technical indicators strongly suggest a downloader or initial execution stage.

Heuristics 8

Excel 4.0 macro sheet (4 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME

Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
Dangerous XLM formula APIs: HALT, GOTO, FORMULA critical OOXML_XLM_DANGEROUS_FN

Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
- http://schemas.microsoft.com/office/spreadsheetml/2014/revision
- http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
- http://schemas.microsoft.com/office/excel/2006/main
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.xml` `d2e465bbbdb6503a3fd893be1cad6bc37be5ada79ce1cd32b56d171ee3a9a48e`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.xml	1612 bytes
`xlm_sheet_01.xml` `1500a25b33e6c44e18b5c98faa96785d31f78812654d30be8ea38490283daae5`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml	2810 bytes
`xlm_sheet_02.xml` `66f116e14391582abd38d824fcfb1f9e6fedbd36c27b35aa868c1b3f3a5744ba`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml	1456 bytes
`xlm_sheet_03.xml` `a72475d22fb0d4d3f18a2cb9d5489d1a4f9e9f2627102d9e5daac8f9df19fb24`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml	1565 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.