Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 499f869b93aa412f…

MALICIOUS

Office (OOXML) / .XLSX

1.16 MB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-03-29
MD5: e11d8072bcd027ac94b972b34876ddd0 SHA-1: ec9820bc166de546d8ffc7a4037157667ada8eeb SHA-256: 499f869b93aa412fa94d8a58eb5e72f1041bd41166bd33c5890daab3bbe6b4b0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is an XLSX document containing multiple Excel 4.0 macro sheets, identified by the OOXML_XLM_MACROSHEET and OOXML_XLSB_INTL_MACROSHEET_IN_XLSX heuristics. These macro sheets are known to be used for executing arbitrary code. While the specific commands within the macro sheets are heavily obfuscated and truncated in the provided evidence, the presence of these macro sheets strongly suggests an intent to download and execute a secondary payload. No specific family could be identified due to the obfuscation.

Heuristics 2

  • Excel 4.0 macro sheet (3 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
emf_00.emf
a12daa770fc1848e39c880d90376e8e5b6814576e9bdbfaa076685fd9b9b2ba3		 ooxml-emf OOXML EMF part: xl/media/image1.emf 6145428 bytes
xlm_sheet_00.bin
94dcae400bad291e7734b3303be72f72bc74b4ef3f7737fe960644bb383a7a69		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 484 bytes
xlm_sheet_01.bin
6b69a539d2d44586cd29d86a91c29f1e2ba8aa4a323b5a4a9f7f0d23cd002d42		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 484 bytes
xlm_sheet_02.bin
46ff111a4683eea3ae97021320d38aa4eb315350d26452c986cde8fd19a80a92		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 2165 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.