Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 42e88d8e7f70d3a0…

MALICIOUS

Office (OOXML) / .XLSX

1.16 MB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-04-08
MD5: eaff10223b07f4e5027b89d996d49073 SHA-1: 6386e8de6b5c505b6444914f517264c5a30fbf65 SHA-256: 42e88d8e7f70d3a005fe894ce668420607aae1882f30a16114a55d341419b709
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains multiple Excel 4.0 macro sheets, indicated by the OOXML_XLM_MACROSHEET and OOXML_XLSB_INTL_MACROSHEET_IN_XLSX heuristics. These macros are designed to execute arbitrary commands, which is a common technique for initial access or payload delivery. No specific family could be identified due to the generic nature of the macro sheets.

Heuristics 2

  • Excel 4.0 macro sheet (4 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
emf_00.emf
36bcdb650f3335661fd30903e4ddbb92ac947513ed380f203fccc03424ff9fe4		 ooxml-emf OOXML EMF part: xl/media/image1.emf 6145428 bytes
xlm_sheet_00.bin
44e1c910560c290cf1fe3eb0d0256a21f957a1765ea926de110b1985b1f72819		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 1717 bytes
xlm_sheet_01.bin
ec25b05dca7aaeaed79bb62fb6411ee9f85904d5e8709aa43d05d83ea361677c		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin 792 bytes
xlm_sheet_02.bin
f0a9425b8507f47d4bffbfc9986e6f77a1eec5a7b094745fec3307154c314949		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 402 bytes
xlm_sheet_03.bin
7b780847888f3179b9a2306b1d9dd4b22d991fb4b1641b18d3184a5b6ac9038f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 322 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.