Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 735f7a4bed9f5238…

MALICIOUS

Office (OOXML) / .XLSX

117.2 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-03-16
MD5: 7f26b75d77d6f0c0f20c6b61ca47857f SHA-1: 750decc4831f0c84aa6500ac55e9e0d829f1912a SHA-256: 735f7a4bed9f52384cf1f5ed2dbf6aef5081253bf39b978e24297508fa8cacad
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is an Excel spreadsheet containing multiple Excel 4.0 macro sheets. These macros appear to be designed to download and execute a second-stage payload from the URL 'http://a.com/a.exe'. The presence of Excel 4.0 macros and the download functionality strongly suggest a malicious intent, likely to deliver further malware.

Heuristics 2

  • Excel 4.0 macro sheet (12 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • ClamAV: Multios.Malware.Agent-10042426-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Multios.Malware.Agent-10042426-0

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
e541f768a6a2761f1eb330f36fa4854aa79d685e958fba24945d0f470a5c8620		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 871 bytes
xlm_sheet_01.bin
0d0844264380b8dadbba0d2074e9c73b38a92bd41acd11a8911bcf11bfae4dd2		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 674 bytes
xlm_sheet_02.bin
fcbee97f0dd0396d2166b27e70dc5f329138d91e33cacefc90780771d2c89aca		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 3588 bytes
xlm_sheet_03.bin
9a9c00e5c670d9cb9ebbebc0e8eb74c5dbab1cc8cd9e7ffb4a8841887c938b52		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin 1269 bytes
xlm_sheet_04.bin
b8caa8271c2f12b728bdb0b32921f704c74d345971d996e432db17dc7447a0c1		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.bin 737 bytes
xlm_sheet_05.bin
5acb5cd8473f658ac1af292f8be69bb3d1e3ad2da2b48975c4cdcaf26c0ce9b9		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 674 bytes
xlm_sheet_06.bin
9c7f0265f4841d89c0d2dbb41a0e7ff0d6f6e1eee1f2521467877a38b47fdaf2		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.bin 672 bytes
xlm_sheet_07.bin
266823ec560e31f11854528dcc8a208cadf42a92be72a59d3e08dff40b2cf09a		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.bin 562 bytes
xlm_sheet_08.bin
59abb19e07a0c85880d3e936983a6afd5475b6de992fac76e4164836c9f8539c		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.bin 393 bytes
xlm_sheet_09.bin
3568da1cb305e32670f31b9f2e0e2e544620438fc48e5295397de622e00e563d		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.bin 442 bytes
xlm_sheet_10.bin
49977c4c3cbb189580a89e6d184b0137682ae93d0aa4c13b2c8b6bb201cf7535		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 754 bytes
xlm_sheet_11.bin
a6ac0305669a45ec3d5a9c0fdb6bc74f328641eb09ba1853fc9972b2728de61d		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.bin 393 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.