Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 5b8a82fc7209d40d…

MALICIOUS

Office (OOXML) / .XLSX

84.4 KB Created: 2020-05-21 11:42:43 UTC Authoring application: Microsoft Excel 16.0300
MD5: 6df494468bdd94b1748fc514bbfdf784 SHA-1: d7e2ae2fea1f1bbf8f677f431bd98a39c4bc8039 SHA-256: 5b8a82fc7209d40dff72c6e53a9cd35f66f2eef949e6cc84c5f24049a1b12a80
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is an Excel file containing Excel 4.0 macros, which are known to be used for malicious purposes. The macros reassemble a command line that decodes a file named 'ngs.txt' into 'ngs.dll' using certutil, and then executes the decoded DLL using rundll32. This indicates the file's primary purpose is to download and execute a second-stage payload.

Heuristics 3

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOAD
    An Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7aa4187706b7003a52de6699ad5a674e6d1dfb6921f74ab806ef136961c522e6		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2610 bytes
vbaProject_00.bin
8e4069985a117111ce31d9951f47c171c5f62276f1fa793819095da98baefc6d		 vba-project OOXML VBA project: xl/vbaProject.bin 23040 bytes
xlm_sheet_00.bin
ec5851ef39d1c2101f22ad4d7ee37fadb0c81eae29e24b06ef4dc73fcd15ff2f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 1903 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.