Office (OOXML) / .XLSX malware analysis — malicious · 3e65723dac947966

MALICIOUS

Office (OOXML) / .XLSX

1.16 MB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-03-30

MD5: 57748744b84e4ecb102dcafa79ca5715 SHA-1: 6f7b8410f54e1527a32da44ca900bb21735d0711 SHA-256: 3e65723dac9479669a18551b8ae7b159d44ff15eaa227ad3a33101a9afaea251

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell

The file is an XLSX document containing multiple Excel 4.0 macro sheets, identified by the OOXML_XLM_MACROSHEET and OOXML_XLSB_INTL_MACROSHEET_IN_XLSX heuristics. These macro sheets are known to be used for executing arbitrary commands. While the specific commands are obfuscated within the binary data of the macro sheets, the presence of these macros strongly suggests an intent to download and execute a secondary payload. No specific family could be identified, and no direct IOCs like URLs or hashes were extracted from the macro content.

Heuristics 2

Excel 4.0 macro sheet (3 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX

OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`emf_00.emf` `a12daa770fc1848e39c880d90376e8e5b6814576e9bdbfaa076685fd9b9b2ba3`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	6145428 bytes
`xlm_sheet_00.bin` `94dcae400bad291e7734b3303be72f72bc74b4ef3f7737fe960644bb383a7a69`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	484 bytes
`xlm_sheet_01.bin` `6b69a539d2d44586cd29d86a91c29f1e2ba8aa4a323b5a4a9f7f0d23cd002d42`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet2.bin	484 bytes
`xlm_sheet_02.bin` `46ff111a4683eea3ae97021320d38aa4eb315350d26452c986cde8fd19a80a92`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin	2165 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.