Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 4c2d9a490d0f7d99…

MALICIOUS

Office (OOXML) / .XLSX

96.0 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 4b83ca0bd53d4c9165e61a1cc8411a4e SHA-1: 349d3543ce61727365b4c1dce11518bdbf309550 SHA-256: 4c2d9a490d0f7d99217e5b7f6cdf5e18a4fca020db6d89592574db2f3df60db5
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains embedded Excel 4.0 macro sheets, identified by the OOXML_XLM_MACROSHEET and OOXML_XLSB_INTL_MACROSHEET_IN_XLSX heuristics. The macro content includes strings that reconstruct URLs and filenames, indicating a downloader functionality. Specifically, the macros appear to construct URLs such as '190.14.37.153/', '192.99.255.41/', and '80.71.158.163/' and target files named '.dat' and '.dat2', suggesting the download and execution of a second-stage payload.

Heuristics 3

  • Excel 4.0 macro sheet (3 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.
  • ClamAV: Xls.Downloader.Docusign112101-9908076-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Docusign112101-9908076-0

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
fc3749e4f74c1293dc36bc33bfc5481e4492838facad05a8af43cdfe54377654		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 541 bytes
xlm_sheet_01.bin
906cf334b7e575a580033e8d27ae5eb97f0a225a66ed59706e9821a3ca37d9fd		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 1814 bytes
xlm_sheet_02.bin
8f8bc19938c9a024a8b6ba22e84df50cac24fa8598bb733c13886a2e23616945		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin 1716 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.