Office (OOXML) / .XLSX malware analysis — malicious · 3a35cc9715e5b43f

MALICIOUS

Office (OOXML) / .XLSX

84.8 KB Created: 2021-10-27 10:31:49 UTC Authoring application: Microsoft Excel 12.0000

MD5: 855f1e91d91b3dd2e5000569c06a69e2 SHA-1: 9b54791a1b1381d48b78ffbcabb08f0035e31a4d SHA-256: 3a35cc9715e5b43fb77e010891e1f8e70137a12496749cb1ef9c5174fba0ec5c

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The critical heuristic firing indicates the presence of an Excel 4.0 macro sheet, which is commonly used for malicious purposes. The macro sheet contains obfuscated commands that appear to construct a path to a startup folder shortcut, suggesting an attempt to establish persistence. The macro likely downloads and executes a second-stage payload, though the exact download URL and payload are not directly discernible from the provided truncated script.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `a10baed3b6076d97c3d86dd9502f14281f05bf02b3dda2948f060ade36adc0eb`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	6537 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.