Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 6096e290d2b9c5d1…

MALICIOUS

Office (OOXML) / .XLSX

183.4 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 31cabbb731c94515169c96728878dfcf SHA-1: 9e6aa6a84202ea802587d894f5d0292355660839 SHA-256: 6096e290d2b9c5d1979cba04455c7dc9c57b65fd2e5fe96c3f5a551e574071e6
310 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution T1105 Ingress Tool Transfer

This Excel file contains Excel 4.0 macros, which are known to be used for malicious purposes. The macros utilize the `REGISTER` function to call `URLDownloadToFileA`, indicating an intent to download a second-stage payload from the specified URL. The presence of hidden sheets and dangerous XLM formula APIs further supports this assessment.

Heuristics 7

  • Excel 4.0 macro sheet (10 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, GOTO, REGISTER, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS
    Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
  • ClamAV: Xls.Downloader.GreenEnable06210-9869360-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.GreenEnable06210-9869360-0
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 10 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
1e56e1f2eede302543e5df8b9ebfaea744b26d28977f1390ea971f4b360a26ef		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 3222 bytes
xlm_sheet_01.xml
9f05fa9be829be1eefeb660a152567edb54f7c357d0db2659790a946134ef9bd		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 1785 bytes
xlm_sheet_02.xml
405845b1631a0aa71b486f4418949d96bde2110bb9f06addaf0fcd75e88528c3		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 2657 bytes
xlm_sheet_03.xml
43e6f6f4ebc87c4132b97fece91322592028938542550327d7113eb1c83010e5		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 1849 bytes
xlm_sheet_04.xml
49dcda5b792610c41de404d2b70cfc974135ab65a439e8c738a1c9da0fcb9f77		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml 1771 bytes
xlm_sheet_05.xml
d36f154dba963b8e1b114a8eb7856a7559b20af161115ec9858bc4527e63792f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.xml 1559 bytes
xlm_sheet_06.xml
84c260af46eecb368a56b6975dc52f2fe5cc18e2695b57472a4ec15bdec2c065		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.xml 1586 bytes
xlm_sheet_07.xml
ad7ce2861628a67d038db82c6e0c4f96565fd87f489a044f5b06b21d72a592e1		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.xml 1589 bytes
xlm_sheet_08.xml
b58afdef5f0f3f74593fd083f85481e37c174bf42505739468eec6cc33659cb4		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.xml 1582 bytes
xlm_sheet_09.xml
78202619198b2160503b5dd1d62f26d794ff5905704afedefc7df1582494d5b5		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1630 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.