Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 364c346e9b99b9c8…

MALICIOUS

Office (OOXML) / .XLSM

183.2 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 3ef9791392b20e99fb6413691efea44a SHA-1: 92240250cfd68a6c40a7673b6d4bc84340708c43 SHA-256: 364c346e9b99b9c846acb8ce8d2ef0c9fbb2edfc8ffaf0a895d465d783ecdeaa
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File

This XLSM file contains multiple Excel 4.0 macro sheets, including an Auto_Open defined name, which is a common technique for executing malicious code upon opening. The macros utilize dangerous formula APIs like FORMULA, GOTO, REGISTER, and HALT, which can be used to download and execute arbitrary code. ClamAV also identified this file as a downloader. No document body text was available for analysis, and no URLs were extracted that were not confirmed benign.

Heuristics 6

  • Excel 4.0 macro sheet (10 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, GOTO, REGISTER, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • ClamAV: Xls.Downloader.GreenEnable06210-9869360-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.GreenEnable06210-9869360-0
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 10 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
a59fc544cb8b2d600fcfc478b6d758f14bb5a970dcbd7bed9b6381d0fa65ddcb		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 3233 bytes
xlm_sheet_01.xml
716d1708b78778701c84eaf2d848c4aa6dbc859a82080c58f06a0fbf48f39542		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 1785 bytes
xlm_sheet_02.xml
ee53724c013f6d80cfb10a8b258801e38cf83ba9a7366385139d3838a400abd3		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 2308 bytes
xlm_sheet_03.xml
cd3ab4b8e7330421af8fef3b07d1c240d54bea1ef413297f8b55501b9a0e2772		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 1587 bytes
xlm_sheet_04.xml
6b118fd093ce5f52799b56aa29ca562e201fc37655267d384c84fbe05ec198aa		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml 1587 bytes
xlm_sheet_05.xml
d86382cd48cf5b090eb645f7251494f82b2e8c61e4e94a94ba295a5a9a8c628b		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.xml 1580 bytes
xlm_sheet_06.xml
564a12d089bea2438d54307bbe41077c7c199180e2f4d57332081b6e2b2c2cb6		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.xml 1586 bytes
xlm_sheet_07.xml
66150b001e8a7524a17d0bdcfa2d5a5d387a75b9c9ca16a1d1bba19ccb52a96e		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.xml 1583 bytes
xlm_sheet_08.xml
32deba180b1d50bf8dc140f42042696af27da0b8d8f58ce045bea4a1bef5015c		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.xml 1561 bytes
xlm_sheet_09.xml
867a6ad5ec743bf32bd430da32ba770bbe97c8032cc70b36d5f7b25b690caefe		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1498 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.