Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 411a4587bc2cde60…

MALICIOUS

Office (OOXML) / .XLSX

268.4 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-03-02
MD5: e43c122ad8c35adc9317dd8aa38d2c3a SHA-1: de2d955220aad0b52467426bb95301f4939aa724 SHA-256: 411a4587bc2cde60c95a72cdbbba4d283bd8ce4edc8b479c690ad2f10eea1269
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Service Execution: Visual Basic

The sample is an Excel file containing multiple Excel 4.0 macro sheets, as indicated by the OOXML_XLM_MACROSHEET and OOXML_XLSB_INTL_MACROSHEET_IN_XLSX heuristics. The ClamAV detection further confirms its malicious nature. The embedded macro sheets appear to be obfuscated, but the presence of multiple macro sheets strongly suggests an attempt to execute arbitrary code. The primary attack pattern is likely the execution of these macros to download and run a secondary payload.

Heuristics 3

  • Excel 4.0 macro sheet (10 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.
  • ClamAV: Multios.Malware.Agent-9967226-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Multios.Malware.Agent-9967226-0

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
1434b2bef33f9d8608b044437f48428e0298120e7017f631a2f33ba56aa6c752		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 322 bytes
xlm_sheet_01.bin
04a1c8c42066978968a402f8a04ce6a5a7673ecef4b9debc084649b52b747f64		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin 2151 bytes
xlm_sheet_02.bin
765804c19d50bdd3bcc0391b1b9907ad74cc8149c930eb53ac36c0ed226f6de5		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 484 bytes
xlm_sheet_03.bin
39bea9fab1c795173046b51b75a53296ad66f29d76b487594d693a8390fbe92c		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 484 bytes
xlm_sheet_04.bin
a6b98894165c30b3d44d75e60bb0a628e7ecada95b399f9412700fb2b0674464		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 428 bytes
xlm_sheet_05.bin
0d7e2c72dfab2ccd23720ac96f72180b9d1cef3452c51624561364c9943be252		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 484 bytes
xlm_sheet_06.bin
c06f64468ac5923dcab4a106464d68314b609b115aa2e65526acb7d8e698561f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet5.bin 484 bytes
xlm_sheet_07.bin
e78a0903c52a61f894d5702c5711f1a752800c144bcfc4cc3d9ea865cf5194b2		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet6.bin 428 bytes
xlm_sheet_08.bin
3f0408b1671e6462403801fc8b3914288e73bf7bc2458e5f2ed94327d170c160		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet7.bin 428 bytes
xlm_sheet_09.bin
84adc44516a7e45de092091efae98c83b606d8196e202b922a66afc0dabdceb0		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet8.bin 348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.