Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 54d8230199caabba…

MALICIOUS

Office (OOXML) / .XLSX

125.3 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: c65878847972822baec3f03d8667374f SHA-1: 0c08ad2939d926204171fc23cec7286ca4cb735e SHA-256: 54d8230199caabbab5472a7c92343960101223744e0cab53f7029113d144d77f
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is an Excel document containing multiple Excel 4.0 macro sheets, as indicated by the OOXML_XLM_MACROSHEET and OOXML_XLSB_INTL_MACROSHEET_IN_XLSX heuristics. The ClamAV detection of 'Xls.Downloader.GreenOffice01223-9937701-0' suggests a downloader functionality. Although the script content is heavily obfuscated and truncated, the presence of macro sheets strongly implies an attempt to execute malicious code, likely to download and run a further stage. No specific IOCs like URLs or hashes were directly extractable from the provided script excerpts.

Heuristics 3

  • Excel 4.0 macro sheet (8 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.
  • ClamAV: Xls.Downloader.GreenOffice01223-9937701-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.GreenOffice01223-9937701-0

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
233d417b205fa548ee199db8f7dcde5eec5ed25d77f05e8ea9c00ce21c35b939		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 2510 bytes
xlm_sheet_01.bin
500952c6629948897d18f1986d28785709479e7f8593807356d0fedc7f951272		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 428 bytes
xlm_sheet_02.bin
5a15ced69dee870a7d3a5570d88d6d7f09745990f086317a0ee636a9ed4df291		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 428 bytes
xlm_sheet_03.bin
4b15edbbba9a65d33fdb500ff8626d9621bac2195ef74d699735b09b21a8028b		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 428 bytes
xlm_sheet_04.bin
bf2a739fa56c3d15384a1c3110a865e233378e8fc718fbfef40f953b3883318f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 428 bytes
xlm_sheet_05.bin
0107b41473071ac5d8b8cb52a31f8c9f5c2d660b8817625277f4f17623947455		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet5.bin 428 bytes
xlm_sheet_06.bin
96bdb6b024c43a4a919a0b7ca20a7186fc8d758fff92d3c7bf74bb2068e7446a		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet6.bin 428 bytes
xlm_sheet_07.bin
e561d2de881f21620feda2d77d70861eff058969308a438af3cd54f04c908a83		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet7.bin 428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.