Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 69103f375e5de882…

MALICIOUS

Office (OOXML) / .XLSX

268.4 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-03-02
MD5: 7536bb045c1f410a77a17db0d3e31b39 SHA-1: 880d395b012a2be97c632835d61b6b5769ad3e66 SHA-256: 69103f375e5de882ebccb43e088d0f56edbc77305e2f1adfb812e37f9fbe0caf
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is identified as malicious due to the presence of Excel 4.0 macro sheets, which are known to be used for executing arbitrary code. The heuristic 'OOXML_XLM_MACROSHEET' confirms the existence of these macro sheets. The ClamAV detection 'Multios.Malware.Agent-9967226-0' further supports the malicious classification. The macros are likely designed to download and execute a second-stage payload, a common technique for malware distribution.

Heuristics 2

  • Excel 4.0 macro sheet (10 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • ClamAV: Multios.Malware.Agent-9967226-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Multios.Malware.Agent-9967226-0

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
1434b2bef33f9d8608b044437f48428e0298120e7017f631a2f33ba56aa6c752		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 322 bytes
xlm_sheet_01.bin
04a1c8c42066978968a402f8a04ce6a5a7673ecef4b9debc084649b52b747f64		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin 2151 bytes
xlm_sheet_02.bin
765804c19d50bdd3bcc0391b1b9907ad74cc8149c930eb53ac36c0ed226f6de5		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 484 bytes
xlm_sheet_03.bin
39bea9fab1c795173046b51b75a53296ad66f29d76b487594d693a8390fbe92c		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 484 bytes
xlm_sheet_04.bin
a6b98894165c30b3d44d75e60bb0a628e7ecada95b399f9412700fb2b0674464		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 428 bytes
xlm_sheet_05.bin
0d7e2c72dfab2ccd23720ac96f72180b9d1cef3452c51624561364c9943be252		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 484 bytes
xlm_sheet_06.bin
c06f64468ac5923dcab4a106464d68314b609b115aa2e65526acb7d8e698561f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet5.bin 484 bytes
xlm_sheet_07.bin
e78a0903c52a61f894d5702c5711f1a752800c144bcfc4cc3d9ea865cf5194b2		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet6.bin 428 bytes
xlm_sheet_08.bin
3f0408b1671e6462403801fc8b3914288e73bf7bc2458e5f2ed94327d170c160		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet7.bin 428 bytes
xlm_sheet_09.bin
84adc44516a7e45de092091efae98c83b606d8196e202b922a66afc0dabdceb0		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet8.bin 348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.