Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 558e8de9585f3d2e…

MALICIOUS

Office (OOXML) / .XLSX

111.1 KB Created: 2021-09-20 10:27:09 UTC Authoring application: Microsoft Excel 12.0000
MD5: 05dfde077206d140af87a91fe51cfc95 SHA-1: 2978bdeb4484ccd92536d1044a18e5382b5056a1 SHA-256: 558e8de9585f3d2e8397b29cc9c7bea595612567968e056fe25219c05dcf460a
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is an Excel document containing Excel 4.0 macros, indicated by the OOXML_XLM_MACROSHEET heuristic. The extracted macro sheet content is heavily obfuscated and does not reveal specific commands or URLs. However, the presence of XlM macros strongly suggests an attempt to execute arbitrary code, commonly used for downloading and running further malicious payloads.

Heuristics 1

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
39ac1e83f9c55944dde1c2cd540d763248be374977f8a2287bb0e93e277355b5		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 873 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.