Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 59cd9dc7a9c2bc5f…

MALICIOUS

Office (OOXML) / .XLSX

80.0 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: fd9c34bf68cd57fe9bf33b3d837b43f8 SHA-1: 6aeb21d0067a98b0836d0ba16db95c0a624f8917 SHA-256: 59cd9dc7a9c2bc5f4d00c69e28c55d6622f8792fe87b016549c30e76736e3b58
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is an XLSX document containing multiple Excel 4.0 macro sheets, indicated by the OOXML_XLM_MACROSHEET and OOXML_XLSB_INTL_MACROSHEET_IN_XLSX heuristics. While the macro content is heavily obfuscated and truncated, the presence of these macro sheets strongly suggests an attempt to execute arbitrary commands upon opening. The specific commands and their targets could not be reliably determined due to the obfuscation and truncation of the script content.

Heuristics 2

  • Excel 4.0 macro sheet (10 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
bee3fd9d1ce99b02b35f5662e4de7e62bdd41e05deca34e537b522a1aeca442e		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 322 bytes
xlm_sheet_01.bin
437e9f5e46f50f6264f1468611cb3a7016fd693f55a8d679ff97bada55b19d48		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 2093 bytes
xlm_sheet_02.bin
bf9296aaf0e5b84a19f6b3ff4b9afe95753013f257b1d1c75c70cc1b08b9ad68		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 477 bytes
xlm_sheet_03.bin
a500f1ae4d898900a3144ae215bd4e3f47736c4875919f139ec5546ed6597e8b		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 428 bytes
xlm_sheet_04.bin
ab3f84691f75f808a265fd47fd2de553fe8c7cf42364c345d2da1035041ddb59		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 428 bytes
xlm_sheet_05.bin
333e01ee17df88556ba83b070e2d77a0478ddb01a29baf7fdef93732ee59798f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet5.bin 428 bytes
xlm_sheet_06.bin
136f099ac6cb64e1d7601355d317ccd460b2865c1d11e5b443b06a6d14ea4197		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet6.bin 428 bytes
xlm_sheet_07.bin
dbe22dd404c1f321e5a0fb3f96913e4db489106ba51a7dad6ad1e5cc3a952f21		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet7.bin 428 bytes
xlm_sheet_08.bin
cee664e2fc6f8587326643d7a2f63389c2e546edb39c94eedb830f20a7051f28		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet8.bin 428 bytes
xlm_sheet_09.bin
415f1451b36102d686540ecdf4d3c07a4666c68b1840c08ab5d0bff7af909409		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet9.bin 348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.