Office (OOXML) / .XLSX malware analysis — malicious · 7858b455b9f9306f

MALICIOUS

Office (OOXML) / .XLSX

81.3 KB Created: 2021-02-26 07:53:41 UTC Authoring application: Microsoft Excel 16.0300

MD5: d2b6dd361588c0405f38d55f3cea2525 SHA-1: 2c01cc2063a234cb284c06e0262793c893fa0e2d SHA-256: 7858b455b9f9306fabd4a6ce4fb7e4235f3e219eb1830204e9ccbc447bcabbe2

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains an Excel 4.0 macro sheet, which is a known method for executing malicious code. The macro sheet likely attempts to download and execute a secondary payload, a common technique for initial execution and further compromise. Due to the truncated nature of the script, specific IOCs could not be extracted.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_sheet_00.bin
997fbf06113fdb733cdb3e8682218613dc0c39fc47233745e85fa8a2a65eefb3 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 4569 bytes

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `997fbf06113fdb733cdb3e8682218613dc0c39fc47233745e85fa8a2a65eefb3`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	4569 bytes
Preview script First 1,000 lines of the extracted script � � � @ �� Q � % �� & � � ] @ d � $ m m m � � % �� & � �� , � < I) < �? $ � � % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & ! , % �� & # , % �� & % , % �� & ' , % �� & ) , % �� & * , % �� & + , % �� & , , % �� & - , % �� & . , = * I @ #/ # I @ #. #% @ % �� & / , % �� & 0 , W D @ C I @ #. # #D #) @ I @ #1 #* @ % �� & 1 , % �� & 2 , % �� & 3 , % �� & 4 , % �� & 5 , % �� & 6 , % �� & 7 , I 6 I @ #< # #$ #- I @ #3 # @ % �� & 8 , % �� & 9 , % �� & : , % �� & ; , % �� & < , % �� & = , % �� & > , O < I! @ #C # # #' #0 I @ #9 #" @ % �� & ? , % �� & @ , % �� & A , % �� & B , % �� & C , % �� & D , > + Z # �: % �: ' �: � B � % �� & E , % �� & F , : ' AJ @ 0 0 : 0 0 : 0 1 @ B �� % �� & G , % �� & H , D 1 Z 3 �Z 6 �Z 8 � B A Q L B � % �� & I , 7 $ # : B �: � B � % �� & J , % �� & K , : ' AJ @ 0 0 : 0 0 : 0 5 @ B �� % �� & L , % �� & M , V C Z �: ! �: $ � : �: �: & � B � % �� & N , % �� & O , ... (truncated)

Preview script

First 1,000 lines of the extracted script

�  �  �   @      ��������    �      Q           �  %      ��                  & �  �     ]       @   d           � $    m               m   m           �  �  %      ��    & �  ����  ,     �  <         I)        <     �?  $	        �  �  %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &   
       ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &   !       ,                              %      ��    &   #       ,                              %      ��    &   %       ,                              %      ��    &   '       ,                              %      ��    &   )       ,                              %      ��    &   *       ,                              %      ��    &   +       ,                              %      ��    &   ,       ,                              %      ��    &   -       ,                              %      ��    &   .       ,                 =           *   I   @  #/   #      I   @  #.   #%     @       %      ��    &   /       ,                              %      ��    &   0       ,                 W           D    @  C     I   @  #.   #
    #D    #)     @   I   @  #1   #*     @       %      ��    &   1       ,                              %      ��    &   2       ,                              %      ��    &   3       ,                          	   %      ��    &   4       ,                              %      ��    &   5       ,                          
   %      ��    &   6       ,                              %      ��    &   7       ,                 I           6   I   @  #<   #     #$    #-     I   @  #3   #      @       %      ��    &   8       ,                              %      ��    &   9       ,                              %      ��    &   :       ,                              %      ��    &   ;       ,                              %      ��    &   <       ,                          
   %      ��    &   =       ,                              %      ��    &   >       ,                 O           <   I!  @  #C   #     #     #'    #0     I   @  #9   #"     @       %      ��    &   ?       ,                              %      ��    &   @       ,                              %      ��    &   A       ,                              %      ��    &   B       ,                              %      ��    &   C       ,                              %      ��    &   D       ,                
>           +   Z  #    �:  %    �:  '    �:       �   B �     %      ��    &   E       ,                              %      ��    &   F       ,                
:           '       AJ  @     0 0 : 0 0 : 0 1  @   B ��    %      ��    &   G       ,                              %      ��    &   H       ,                
D           1   Z  3    �Z  6    �Z  8    �   B A Q L      	 B �     %      ��    &   I       ,                 7           $   #       :  B   
�:       �      B �     %      ��    &   J       ,                              %      ��    &   K       ,                
:           '       AJ  @     0 0 : 0 0 : 0 5  @   B ��    %      ��    &   L       ,                              %      ��    &   M       ,                
V           C   Z       �:  !    �:  $    �   :      	�:       �:  &   	�      B	�     %      ��    &   N       ,                              %      ��    &   O       ,                  
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.