Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 563bfe18959a211f…

MALICIOUS

Office (OOXML) / .XLSX

40.6 KB Created: 2020-05-05 12:58:46 UTC Authoring application: Microsoft Excel 16.0300
MD5: 1aa608b6fc75d0564d2dd07c098db8c1 SHA-1: 5d184a4c4d48f4632136583a1253d850849f1737 SHA-256: 563bfe18959a211fa6250cc3e503c402fbb4554bf09d068f0a897bb3c6cc0de2
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

This XLSX file contains multiple Excel 4.0 macro sheets, which are uncommon and often used for malicious purposes. The critical heuristic firing indicates the use of dangerous XLM functions like RUN and CALL, which are capable of executing arbitrary code and downloading payloads. The presence of hidden sheets further suggests an attempt to conceal malicious activity. The document body itself contains placeholder text and does not provide direct clues to the lure, but the macro execution is the primary threat.

Heuristics 5

  • Dangerous XLM formula APIs: RUN, CALL, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • Excel 4.0 macro sheet (12 sheet(s)) high OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 12 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
388de6ee82c6631534180ae78655d7cfebcf454f6a20c305fe052faf2cf707bf		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 47703 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s).
xlm_sheet_01.xml
b49d075a062295598a30365407841088b5f7914230e9806aed12f6ff65c17e66		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.xml 40290 bytes
xlm_sheet_02.xml
192e878ea9c81c392b8779ec8689c0efa54fdc92516751f71b91d01ad7d1f5fb		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.xml 1086 bytes
xlm_sheet_03.xml
e393f95ba445f11802756729f6bbf26de076ab6935863f5d0ab3e36e6ef73499		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.xml 1086 bytes
xlm_sheet_04.xml
b039b69776ede2c5a005b9e805431efffd67fe13867911aa17c099b6ba3cadb2		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet5.xml 1086 bytes
xlm_sheet_05.xml
43ae707d9f635fb8e433b9295418e69adceb8060eeadd586d1d023cdc0ed54b7		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet6.xml 1086 bytes
xlm_sheet_06.xml
b2149c23afc9b8d0df9433452e29c59117a2266ec2296f255fe22cc0d0efccd7		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet7.xml 1086 bytes
xlm_sheet_07.xml
9ac267d85ff48fcc263fd368e855c2f5fc79b2b5aa51ac9c2899b0ea6f2c10f3		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet8.xml 1086 bytes
xlm_sheet_08.xml
3f8330348a1ce75c7ccd8991c891ca2ff873c6cf4bc17715eb69a1600a082719		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet9.xml 1086 bytes
xlm_sheet_09.xml
6a3d54510887c4d9257e6c71a4098a7c55fcfc0e52a6b4f2066758d1eda44313		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet10.xml 1086 bytes
xlm_sheet_10.xml
386bff73245bf754e4528ae3178470f8f517900ed98596b51824dfafeebbaeed		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet11.xml 1086 bytes
xlm_sheet_11.xml
3821ed39af1fcc6d1dd1c5c55dc2a9361a912599969e46a1dff5cc6d95b19660		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet12.xml 1086 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.