Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 42b382be2e0f600f…

MALICIOUS

Office (OOXML) / .XLSX

52.2 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 14.0300
MD5: 7595dc40f4afafd883b97b2690c04fe0 SHA-1: 0e7b3cc495b0e570cc61a19ee27b7fab133a069a SHA-256: 42b382be2e0f600fcec16ead4440475ffa839ed56724ef960b24f2affda4afb9
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Service Execution: Service Execution T1204.002 Malicious File: Malicious File T1059.001 Command and Scripting Interpreter: PowerShell T1059.003 Command and Scripting Interpreter: Windows Command Shell

The file contains multiple Excel 4.0 macro sheets, including one with an Auto_Open defined name, indicating it's designed to execute macros automatically. Critical heuristics identified the use of dangerous XLM formula APIs like RUN and CALL, which are commonly used to download and execute payloads. The presence of an embedded URL pointing to an executable file further supports this. The macro sheet likely downloads and executes a second-stage payload from the embedded URL.

Heuristics 6

  • Excel 4.0 macro sheet (7 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: RUN, CALL, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 7 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://invoice7mukszq9nbpa7online.ru/unfeminized.exe
    • http://invoice7mukszq9nbpa7on
    • http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
ec6fb1620b7920ba485f10765250e928647f3aafa797249bab04a3ffd5ab4890		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.xml 716 bytes
xlm_sheet_02.xml
e942e4d74fc50ccd94ef30b0190dcb8b29cb56b39faddf1a0f68bbb24de65f82		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.xml 35032 bytes
xlm_sheet_03.xml
8a556c00a0a5a64ee279aeb17848e5c43fde66406a1dcb590b93ac4f867a0104		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 66470 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.