Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 4a5899e9b2a6e461…

MALICIOUS

Office (OOXML)

62.0 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 16.0300
MD5: a12ad7cc0adae78e14ae648b63e37699 SHA-1: 118ca4e4b3c7a747e06403b3dad87b69c1b38098 SHA-256: 4a5899e9b2a6e4618465d57b162cad20662e6611ea6548beeebc4084341105ef
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The critical heuristic firing indicates the presence of Excel 4.0 macros within the OOXML file. These macros are known to be used for executing arbitrary commands, often to download and execute further malicious stages. The truncated script content prevents a more detailed analysis of the specific commands being executed.

Heuristics 1

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
c03a19a43999132e3e943a64d9f09c145c1ff1f3e7ec64136db086ccbbd870ca		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 1811 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.