Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 4c48baf342be1252…

MALICIOUS

Office (OOXML) / .XLSX

226.9 KB Created: 2026-03-21 00:38:31 UTC Authoring application: Microsoft Excel
MD5: b06da08c4e424c2afb0cb208d88a57eb SHA-1: 5480af576ba26aa9a7972c0fe8ce287795824174 SHA-256: 4c48baf342be125288780ba8386566dadd3f6d4599c57fc1d12220d5b8fbb3ab
150 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 User Execution: Malicious File T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 User Execution: Malicious File T1059.001 PowerShell T1059.001 PowerShell

The sample is an XLSX file masquerading as a corporate financial report. It contains a hidden sheet with an Excel 4.0 macro that uses the EXEC function to launch a hidden PowerShell process with the -EncodedCommand flag. Because the PowerShell payload is constructed from a large number of cell references (C5 through C187), the final command is too truncated to fully reconstruct the literal value of the base64 blob.

Heuristics 5

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Dangerous XLM formula APIs: EXEC, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
187077e150092ba4f5a8cb321b8189ac45b2ffb78370507fc3c7462ec6b8b083		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 625584 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 2226 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.