Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 62bb4d89d905a988…

MALICIOUS

Office (OOXML) / .XLSX

480.1 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: b2d0d4f82f05bc6463d67b03ae6d58d1 SHA-1: 416303f9dbdafc02e144570b63e8dc865434980a SHA-256: 62bb4d89d905a988f154fcb9bd60a376cca42c1343e03b03a897d039eb8d4036
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file contains Excel 4.0 macros, which are known to be used for malicious purposes. These macros are designed to reassemble and execute a payload from local file paths, specifically referencing Dotr1.ocx, Dotr2.ocx, and Dotr3.ocx. This indicates an attempt to download and run a second-stage malicious component.

Heuristics 2

  • Excel 4.0 macro sheet (7 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOAD
    An Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
fe8c9bbdebbc101416d357c0f8b1467b3ffc665d3ad3b6464d779efc546018fe		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 363 bytes
xlm_sheet_01.bin
142c474f5b65f41f7487d7bd4b30317f3f15749f7bb00ef30c374ff4e8d3b8b5		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin 363 bytes
xlm_sheet_02.bin
fb8f9f78c965d57c77f790338149ee0188b49113617e3bb658be0b6bcc69820c		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 3349 bytes
xlm_sheet_03.bin
7b50d126e61d11c7426b0f6d0b36768dce1391a8a85e3d336d13dbb55080b769		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.bin 363 bytes
xlm_sheet_04.bin
9b5f9daf898ff1888f9647c1f8eff3f98bca443912da43ad7e9f2c19e06204ca		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.bin 363 bytes
xlm_sheet_05.bin
8f084010ac0788038b52a75bc18f911a978b28ffba13c420a026f47a896abc25		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.bin 2589 bytes
xlm_sheet_06.bin
a38f77b14843d06a8b906b2c62d403b9f55d6e3d60dabd356ab0a67117713c28		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.bin 2023 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.