Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 56e5ff88c20be6d4…

MALICIOUS

Office (OOXML) / .XLSX

123.4 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: ef8568dd0f9720bb8d79983d742e598c SHA-1: 95e60b5ca8f0581d69846d5d84aedef6522ec695 SHA-256: 56e5ff88c20be6d4a8ce5f22c4c09dc6b8a9daa321c4466d5d68d8626f8ef6b3
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is identified as malicious by ClamAV with the signature Xls.Downloader.GreenOffice01223-9937701-0. Heuristics indicate the presence of multiple Excel 4.0 macro sheets, which are often used to download and execute further malicious content. The embedded macro content is heavily obfuscated, but the overall structure suggests a downloader functionality.

Heuristics 3

  • Excel 4.0 macro sheet (8 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.
  • ClamAV: Xls.Downloader.GreenOffice01223-9937701-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.GreenOffice01223-9937701-0

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
e0440aded7ab94dfa712720e673b4e0f174bdefb91d00826c3ff5ea94eb9f2b0		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 2679 bytes
xlm_sheet_01.bin
2380f6fc7152a9d410adfd7ff8185af954ee15a49c71d4a6dcd922f98492aaf1		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 484 bytes
xlm_sheet_02.bin
fbe1a872d6408b9d07765472ca97b7e10450cbf2bb64e32ae26cee892cef4a50		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 484 bytes
xlm_sheet_03.bin
e8b7c7423e214ccd33c7b5220eaa8108d2ffb1f2f39aae3b3b7045afe3be7e78		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 484 bytes
xlm_sheet_04.bin
ced277ef53700f6fcec2f31e5d7089b59998419223599bf4f57b20af56c682e9		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 484 bytes
xlm_sheet_05.bin
2b7c33b56eae1761f0499d8a41cb4dd1fdc547795e3273427d6352730bf89a67		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet5.bin 484 bytes
xlm_sheet_06.bin
df7e72f81f3f1388096bb9c6178415bfe9d12093a2c4da8ccc3ae92b0fcf9407		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet6.bin 484 bytes
xlm_sheet_07.bin
f156f5267eeb625bee82f34c0ee6625c6115793f6543db431f1b0326845a1f83		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet7.bin 484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.