Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 70038dc836f537de…

MALICIOUS

Office (OOXML) / .XLSX

350.1 KB Created: 2014-01-10 08:17:33 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2022-02-22
MD5: c1f47a14a958e2345ba929afa829c7e7 SHA-1: 4e30b187cdd04d385854b5aa5b06999c76b84049 SHA-256: 70038dc836f537dea842699af7d86efb201ec5198e46c536c981fd5eb8430e98
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains Excel 4.0 macros that utilize dangerous functions such as CALL and RUN. These functions are used to interact with the Windows API, likely to download and execute a second-stage payload. The specific API calls suggest memory allocation and file writing operations, consistent with a downloader or dropper.

Heuristics 4

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: CALL, RUN, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
4221ece86026c664ac271406d1b828a5eb5b5ec5d11042c122b0f315f45bf77f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 186154 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.