Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 42399d23013780c7…

MALICIOUS

Office (OOXML) / .XLSX

119.7 KB Created: 2021-10-27 10:31:49 UTC Authoring application: Microsoft Excel 12.0000
MD5: 517e7dcf68d00c43de8b7cda4e0b6bf5 SHA-1: 6f2cf85fe3350f5c258659eedce129e3f2b5f6c7 SHA-256: 42399d23013780c7d5cbcfa2340c92ad913c152f98b3269e8526aa93e07a34ed
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an Excel file containing Excel 4.0 macros, indicated by the OOXML_XLM_MACROSHEET heuristic. While the macro content is heavily truncated and obfuscated, the presence of Excel 4.0 macros strongly suggests an intent to execute arbitrary code. The primary function appears to be downloading and executing a second-stage payload, a common technique for initial access.

Heuristics 1

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
d145182188e900b917590188f1eb9d5454eba3b3e5a8c813af6e8d60239deae8		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 5058 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.