Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 377bb7d27202a508…

MALICIOUS

Office (OOXML)

21.8 KB Created: 2021-04-14 10:51:13 UTC Authoring application: Microsoft Excel 16.0300
MD5: bad5bf271055a54eb54d7e2e6886e26f SHA-1: 8de738622d8093c05fc1a1a77d0466f14bcee262 SHA-256: 377bb7d27202a508013637049e7724094237768f3f6ff0b7e17c0f7bf17f7ff9
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is an Excel 4.0 macro sheet, indicated by the 'OOXML_XLM_MACROSHEET' and 'OOXML_XLM_AUTOOPEN_DEFINEDNAME' heuristics. The document body contains a social engineering lure, instructing the user to 'Enable Editing' and 'Enable Content' to view the document, which is a common tactic for macro-enabled malicious documents. The presence of an Auto_Open defined name suggests the macro will execute automatically upon opening.

Heuristics 3

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
7873768abd34743678d017e97752eb3794915032ca083028042183a19b0f3c33		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 16450 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.