Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 3f54aa231423dba5…

MALICIOUS

Office (OOXML) / .XLSX

216.1 KB Created: 2021-10-14 17:24:36 UTC Authoring application: Microsoft Excel 12.0000
MD5: 6044de3430709817472e987ba3eea468 SHA-1: bbc66b10106e2e6a8c350e07e4a47429078377ec SHA-256: 3f54aa231423dba5910935268304479637e3d1ec2d4b048df8b22d39106214f2
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an Excel file containing an embedded Excel 4.0 macro sheet. This type of macro is known to be used for executing arbitrary code, often to download and run further malicious payloads. The heuristics indicate the presence of an Excel 4.0 macro sheet, which is a critical finding. No specific IOCs like URLs or hashes were extracted from the macro sheet itself due to its truncated nature.

Heuristics 2

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/exif/1.0/
    • http://ns.adobe.com/tiff/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
bb2b06064d43f31762fc178101287a1bef8f67b437cf4b0f368451989d9f47cd		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 489662 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.