Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 4e9310b547aaef12…

MALICIOUS

Office (OOXML) / .XLSX

96.9 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: b909c157cac4a60d6eb1cc614deb4de5 SHA-1: 7d7d793c365724e3882a320c8ec366b27929fe0b SHA-256: 4e9310b547aaef12d30c9f4af474a168d5bafdcf3b5379a914c5840e76d28bac
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an XLSX file containing multiple Excel 4.0 macro sheets. These macros are designed to execute arbitrary code, which is a common technique for initial payload delivery. No specific family could be identified due to the generic nature of the macro execution.

Heuristics 2

  • Excel 4.0 macro sheet (7 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
c37fba766abd6d156918a643e026b438f9eb0eaa225c144756cd2a5c6fda4519		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 484 bytes
xlm_sheet_01.bin
22bba77ccfeebe8e5c4e883612c26774cb0b357b34f9b8f821432aab3ada7cb3		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet6.bin 484 bytes
xlm_sheet_02.bin
a54cfa9ba41e5598d383926a84d25941debd28f24c9934cba5a5f56d9097ca69		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 2076 bytes
xlm_sheet_03.bin
cc1fea1c5ed0ee9ba6377487e147436c2cdc066a48105c36d0aca3c1995417f4		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 484 bytes
xlm_sheet_04.bin
fc16eb2a62981f93b25a935d0a0fb49d33f90429021cb43f6e7f301424f17a92		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 484 bytes
xlm_sheet_05.bin
e1559372370dc0c7c16b816f71c2d5acc0e30cc8878cffe531ed647dae733bb2		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet5.bin 484 bytes
xlm_sheet_06.bin
1f384d37a830103e6e157bda73c1f5bba7a0a8db52a6ba5a8d8560d3886df131		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.