Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 6685082490baa1ef…

MALICIOUS

Office (OOXML) / .XLSX

28.0 KB
MD5: 0939f8138107261a5abc7911a138221e SHA-1: f4dde2f239c458296a635d759ba723c176881eda SHA-256: 6685082490baa1ef2fcdb2d73db0acaf8dae804d8a97e96b73ad47a669bfa4dd
130 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains multiple Excel 4.0 macro sheets, which are known to be used for malicious purposes. Specifically, the macros utilize dangerous functions like FORMULA and REGISTER to call external Win32 APIs. One macro sheet contains a REGISTER call that appears to be constructing a command to download a file, likely a second-stage payload, to the system.

Heuristics 4

  • Excel 4.0 macro sheet (10 sheet(s)) critical OOXML_XLM_MACROSHEET
    Malformed OOXML local headers contain an Excel 4.0 (XLM) macro sheet. XLM was a major Office malware vector during 2020-2022 and is rarely used in modern legitimate workbooks.
  • Dangerous XLM formula APIs: FORMULA, GOTO, REGISTER, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA).
  • Malformed OOXML package with recoverable local headers low OOXML_MALFORMED_ZIP_LOCAL_HEADERS
    The OOXML ZIP central directory is invalid or missing, but local file headers expose a recoverable Office package. This can create parser divergence between tolerant Office/ZIP readers and scanners that rely only on the central directory.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_05.xml
9c62d86580e549ce6bbb2a2df2bbeb8a163ce33a58f6cc86e5696e1b265fc46c		 xlm-macrosheet Malformed OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 3109 bytes
xlm_sheet_06.xml
9579d89e84da3ea40da488d8619e2cf30e25c98d1eba11699bd4c72e8c5fe239		 xlm-macrosheet Malformed OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 1497 bytes
xlm_sheet_07.xml
ad3f3284bce1dc17a3f12a6258b2eaa66d6ef86d5a438e09de5ecced3370d3b6		 xlm-macrosheet Malformed OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 2240 bytes
xlm_sheet_08.xml
a97dde770fa8bc29cb0ec0a93a2ae316904685d2512ba1220cfee45f98648688		 xlm-macrosheet Malformed OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 1551 bytes
xlm_sheet_09.xml
68030b89e6b4fa9175100e8b7d910608eca541d5ed4e2c0d66aeda37c494a807		 xlm-macrosheet Malformed OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml 1551 bytes
xlm_sheet_10.xml
4ebc5cb27ec4f2b547e1bd53bb611ec7d1683658b8c563ab084965c604bd18ef		 xlm-macrosheet Malformed OOXML XLM macro sheet: xl/macrosheets/intlsheet6.xml 1550 bytes
xlm_sheet_11.xml
02c5359e6c25391c9e987c378ea1fa498b510bbd77700855700c1f66d26cff91		 xlm-macrosheet Malformed OOXML XLM macro sheet: xl/macrosheets/intlsheet7.xml 1551 bytes
xlm_sheet_12.xml
0a36b8963427a06b07b518fde39e338399acae8b0375228e5cec6bdc4a42f657		 xlm-macrosheet Malformed OOXML XLM macro sheet: xl/macrosheets/intlsheet8.xml 1553 bytes
xlm_sheet_13.xml
98386f020be407140630c7a14a4e79f58808acc942ac53553e969d84e0686ded		 xlm-macrosheet Malformed OOXML XLM macro sheet: xl/macrosheets/intlsheet9.xml 1551 bytes
xlm_sheet_14.xml
b6684636c4f1f8407672ee79c627800fb33d979b4b3c225b33925d6a1f612183		 xlm-macrosheet Malformed OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1693 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.