Office (OOXML) / .XLSX malware analysis — malicious · 55cfc4bb604f7495

MALICIOUS

Office (OOXML) / .XLSX

101.3 KB Created: 2021-02-03 15:28:44 UTC Authoring application: Microsoft Excel 16.0300

MD5: 03c7e2bb20e593f84c9c123e92a5f2da SHA-1: b0c77d4f7156556b8f9096cdb9a2c2bfa13f03f1 SHA-256: 55cfc4bb604f7495d1a6f7c4ae48d962cb94705d897919ffd2f4a0e224344458

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is identified as an Excel 4.0 macro sheet, disguised within the OOXML package structure. This indicates an attempt to hide the malicious macro content. The macro sheet itself is heavily truncated, preventing a detailed analysis of its specific actions. However, the presence of disguised Excel 4.0 macros strongly suggests a malicious intent, likely to download and execute a secondary payload.

Heuristics 2

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
Excel 4.0 macro sheet stored under disguised package path critical OOXML_XLM_DISGUISED_RELATIONSHIP

OOXML package declares an xlMacrosheet relationship whose target is outside the canonical xl/macrosheets/ path. Excel follows the relationship type, while path-only scanners can miss the macro execution surface.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `28adac7f31867b71ac631cb1a7c01caae86c2b4b5ea35cb02f9e6155cd6448e0`	xlm-macrosheet	OOXML XLM macro sheet: xl/dt/sheet1.bin	960244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.