Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 6a7a63b4b58439e8…

MALICIOUS

Office (OOXML) / .XLSX

112.7 KB Created: 2021-08-16 09:36:27 UTC Authoring application: Microsoft Excel 12.0000
MD5: 559eea5641975c6255ea7ce8009b510b SHA-1: 216867d6862e5e756caa3ff885d40bee627b6d35 SHA-256: 6a7a63b4b58439e8116908c89df85d7d94f7317f11858d824b1c3bdb9a91273e
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The critical heuristic firing indicates the presence of Excel 4.0 macros within the XLSX file. These macros are known to be used for executing arbitrary commands, often to download and execute further malicious stages. The truncated script content prevents a more detailed analysis of the specific commands or URLs used.

Heuristics 1

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
ffd9e9ed29d8a453ab0383f945b6632edc08284944a5745db1e37c8bd594cb1d		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 342158 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.