Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 4eea330f8fdd2a50…

MALICIOUS

Office (OOXML) / .XLSX

105.6 KB Created: 2021-10-27 10:31:49 UTC Authoring application: Microsoft Excel 12.0000
MD5: 5f788c0a85f200cc321cd0593a18ffa0 SHA-1: f0f3b496ae64e5115fd39a00dff04b351c84f941 SHA-256: 4eea330f8fdd2a503795c9b25346b3e752ba18b7ef2c776fff5b21bdc8a8e12e
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The critical heuristic firing indicates the presence of Excel 4.0 macros. The extracted macro content reveals attempts to write to the file system, specifically creating directories and files such as 'C:\ProgramData\a.exe', 'C:\ProgramData\t.tmp', and DLLs within 't.tmp'. This strongly suggests the macro is a downloader or initial execution stage for a malicious payload.

Heuristics 1

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
2d9d421573b7812fb42ee3e7f062f356c90d2297cd56f8b05c1259608817fcdb		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 4159 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.