Office (OOXML) malware analysis — malicious · 79488447439ca16b

MALICIOUS

Office (OOXML)

3.26 MB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-09-25

MD5: 37fa7d09838c04cd381f9cc274a2c718 SHA-1: dcf0ccb57bbc63cec53960c1c43a6bd3c55feea3 SHA-256: 79488447439ca16b57db85ae2e06aead138ffe24a114abecba972ed3298a5c66

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

This Excel file contains Excel 4.0 macros, indicated by the 'OOXML_XLM_MACROSHEET' and 'OOXML_XLM_AUTOOPEN_DEFINEDNAME' heuristics. The 'OOXML_XLM_BINARY_WINAPI_STRINGS' heuristic reveals WinAPI and download-related strings such as 'DownloadToFileA', 'CreateDirectoryA', and 'RouteTheCall', suggesting the macros are designed to download and execute a second-stage payload. The presence of an Auto_Open defined name further indicates that these macros will execute automatically upon opening the document.

Heuristics 3

Excel 4.0 macro sheet (1 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME

Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS

Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.

Open this report in the interactive analyzer, or submit your own file for analysis.