Xls.Downloader.GreenOffice01223-9937701-0 Office (OOXML) / .XLSX malware analysis — malicious · 71b5de4bc0e2acce

MALICIOUS

Office (OOXML) / .XLSX

125.3 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300

MD5: 0131f3ba2a433680c693633012c3e5f1 SHA-1: 7ecbbba7d47dc64e8bf4e69927cefbc7d525b678 SHA-256: 71b5de4bc0e2acceece6d2f11a6c283aa483deff9858c73aabd5e844cea75c5d

120 Risk Score

Malware Insights

Xls.Downloader.GreenOffice01223-9937701-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file is identified as malicious by ClamAV and contains multiple Excel 4.0 macro sheets. These macros are likely responsible for executing a downloader payload, as indicated by the 'Xls.Downloader' family name. The presence of multiple macro sheets suggests a complex or obfuscated execution flow designed to download and run a secondary malicious component.

Heuristics 2

Excel 4.0 macro sheet (8 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
ClamAV: Xls.Downloader.GreenOffice01223-9937701-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.GreenOffice01223-9937701-0

Extracted artifacts 8

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `233d417b205fa548ee199db8f7dcde5eec5ed25d77f05e8ea9c00ce21c35b939`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin	2510 bytes
`xlm_sheet_01.bin` `500952c6629948897d18f1986d28785709479e7f8593807356d0fedc7f951272`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	428 bytes
`xlm_sheet_02.bin` `5a15ced69dee870a7d3a5570d88d6d7f09745990f086317a0ee636a9ed4df291`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet2.bin	428 bytes
`xlm_sheet_03.bin` `4b15edbbba9a65d33fdb500ff8626d9621bac2195ef74d699735b09b21a8028b`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet3.bin	428 bytes
`xlm_sheet_04.bin` `bf2a739fa56c3d15384a1c3110a865e233378e8fc718fbfef40f953b3883318f`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet4.bin	428 bytes
`xlm_sheet_05.bin` `0107b41473071ac5d8b8cb52a31f8c9f5c2d660b8817625277f4f17623947455`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet5.bin	428 bytes
`xlm_sheet_06.bin` `96bdb6b024c43a4a919a0b7ca20a7186fc8d758fff92d3c7bf74bb2068e7446a`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet6.bin	428 bytes
`xlm_sheet_07.bin` `e561d2de881f21620feda2d77d70861eff058969308a438af3cd54f04c908a83`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet7.bin	428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.