Xls.Downloader.GreenOffice12210-9918618-0 — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 55fa2181c864f48c…

MALICIOUS

Office (OOXML) / .XLSX

229.6 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 3571a01c6f9e274997c83ed02ef474af SHA-1: cb0d73d355b7efc6bcb6c896950f12c635d072da SHA-256: 55fa2181c864f48c53ec57f85afb358ec7a748d8ce91e8183a34539e235df168
180 Risk Score

Malware Insights

Xls.Downloader.GreenOffice12210-9918618-0 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file is identified as malicious by ClamAV with the signature Xls.Downloader.GreenOffice12210-9918618-0. Static analysis revealed the presence of multiple Excel 4.0 macro sheets within the XLSX file. One of the macro sheets contains obfuscated code that, when reconstructed, reveals a URL pointing to '185.82.200.56'. This indicates the macro's intent is to download and execute a second-stage payload from this IP address.

Heuristics 3

  • Excel 4.0 macro sheet (10 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.
  • ClamAV: Xls.Downloader.GreenOffice12210-9918618-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.GreenOffice12210-9918618-0

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
d393f69693744abdd8f876e102e4fbc3ecc1a0a447aa20db986e75459ec0f294		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 363 bytes
xlm_sheet_01.bin
52e510ab08d0060d0f7d79eda9ccc87eef4caf8e3f28c2c997cd20f0bed00fb9		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 679 bytes
xlm_sheet_02.bin
ee32dae7d081a45ace4105698d6572d66fe3d02d6be7859344f87e0c3c854e8e		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 3184 bytes
xlm_sheet_03.bin
b90b590750056067702de85528a406caefe78ca3e494ee63a8d6c8fdb76e8536		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin 1744 bytes
xlm_sheet_04.bin
c83a8b060ec995b46abafd46e8dd5d74cbbba3c5690b816ad1b96e619b66d344		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.bin 964 bytes
xlm_sheet_05.bin
a3e4e13d7fd4e590038b1d90ba3810e26d6d1a4900483fae1c8ea13965449a89		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 679 bytes
xlm_sheet_06.bin
281aebaef2fe3da49ecf9cb26700009c99d10165b6886ad3e61d515928473945		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.bin 650 bytes
xlm_sheet_07.bin
22004236d0ad8b71040314aa93e736df3e454739bcccd88b9b3b6492f1e383a0		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.bin 423 bytes
xlm_sheet_08.bin
923c9ea6bf12658978fe9ee2da48ac462151630f045ddddfd3ac97473eda11a5		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.bin 757 bytes
xlm_sheet_09.bin
29cd52fc343dce4af62b58fda898f37b4a97cb866e6e12700d41c0e1cbdf6fd3		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 754 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.