Office (OOXML) / .XLSM malware analysis — malicious · 3ad4819cec95571f

MALICIOUS

Office (OOXML) / .XLSM

95.9 KB Created: 2020-06-10 19:10:23 UTC Authoring application: Microsoft Excel 14.0300

MD5: 69f269d0a5e726c0bcafa1e81a456f79 SHA-1: a6537a821e059c4d10f9c35f0135e3af0227c9e9 SHA-256: 3ad4819cec95571fba65855ebde66a308472c22a4c06501bfa1b1d51730572cc

290 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1204.002 Malicious File T1105 Ingress Tool Transfer T1059.001 PowerShell T1218.011 System Binary Proxy Execution: Rundll32

The sample is an XLSM file containing Excel 4.0 macros, indicated by the 'OOXML_XLM_MACROSHEET' and 'OOXML_XLM_AUTOOPEN_DEFINEDNAME' heuristics. The macros utilize dangerous XLM formula APIs like FORMULA, RUN, and REGISTER, as evidenced by 'OOXML_XLM_DANGEROUS_FN'. These functions are used to download and execute payloads, as suggested by strings like 'URLDownloadToFileA' and 'ShellExecuteA' found in 'OOXML_XLM_BINARY_WINAPI_STRINGS'. The embedded URL 'https://oidblueprin.at/3/str.dll' is likely the source of the second-stage payload. The presence of 'regsvr32.exe' and 'rundll32.exe' in the document text suggests potential execution via LOLBins.

Heuristics 7

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME

Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
Dangerous XLM formula APIs: FORMULA, RUN, REGISTER, HALT critical OOXML_XLM_DANGEROUS_FN

Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS

Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 28 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://oidblueprin.at/3/str.dll
- http://schemas.openxmlformats.org/spreadsheetml/2006/main
- http://schemas.microsoft.com/office/excel/2006/main
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.xml` `858bc776b2081d7b8f67ac6a734710b57bae61b8c6f5eff295859836e2ab6a6c`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.xml	60823 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.