Office (OOXML) / .XLSX malware analysis — malicious · 5170144b043c9334

MALICIOUS

Office (OOXML) / .XLSX

113.6 KB Created: 2021-03-05 04:08:28 UTC Authoring application: Microsoft Excel 16.0300

MD5: 74c4c72a0389ef1dfd46c5d3d4545e78 SHA-1: 6a617d27bc5f9ecc4fb93f5539a11b1fa4bfec0d SHA-256: 5170144b043c93346767e5d18a5e4b7ef104d96b2ee15e43cd75dca8a0c580c8

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is an Excel file containing Excel 4.0 macros, as indicated by the OOXML_XLM_MACROSHEET heuristic. ClamAV detected this file as Doc.Downloader.Trojan. The embedded Excel 4.0 macro sheet is heavily truncated, but the presence of macro sheets and the downloader detection strongly suggest the file's purpose is to download and execute a secondary payload. No specific IOCs could be extracted due to the truncated nature of the macro sheet.

Heuristics 2

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
ClamAV: Doc.Downloader.Trojan-bf70f023603538ee-bf70f023603538ee-9950269-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Trojan-bf70f023603538ee-bf70f023603538ee-9950269-0

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `7e124f5e116e2d8a7e8464f7a0639422d0aa73d23ecc82b0d90d5bf1f1e63827`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	10168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.