Office (OOXML) / .XLSX malware analysis — malicious · 7bab4115ce6cecb7

MALICIOUS

Office (OOXML) / .XLSX

231.7 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300

MD5: bd559f9f406c8d3d05204e72e3646e9f SHA-1: e51290c207eabc11b22f2e23cd86ba8242c5afd4 SHA-256: 7bab4115ce6cecb7b0cf0f1136457317df7135b524b2e8701dffaf050b00d03b

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file contains Excel 4.0 macros, which are reassembling formulas to construct paths for executable files. The heuristic 'OOXML_XLM_REASSEMBLED_PAYLOAD' indicates that these formulas are used to download and execute secondary payloads from the specified local paths. The detection by ClamAV as 'Xls.Downloader.GreenOffice12210-9918618-0' further confirms its malicious nature as a downloader.

Heuristics 3

Excel 4.0 macro sheet (12 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOAD

An Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
ClamAV: Xls.Downloader.GreenOffice12210-9918618-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.GreenOffice12210-9918618-0

Extracted artifacts 12

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `b5aba48cdbc925dbf4cf1fd099252f76e1ccde07778d66ad239dd029d3f4e959`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin	363 bytes
`xlm_sheet_01.bin` `514ba565434569c0a538370e537b6c9f5c528e1aa38f0e635f27bd199bac7778`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	3023 bytes
`xlm_sheet_02.bin` `047efb69be3aabac5e32c5468a16304585fb8200ae4e3ee22b4ad91ad823f54c`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin	1787 bytes
`xlm_sheet_03.bin` `0f1e1280117d34354f071590ae05ed4b803774dbb89e255f805496835eaedbb3`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet3.bin	618 bytes
`xlm_sheet_04.bin` `f93099eafdd1b1c882fd3d99b878ec6f1a02981e1d97ffc55a5317c481c3f9a7`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet4.bin	618 bytes
`xlm_sheet_05.bin` `02c209dd2dc5e6979e99f6e4a3b776670466e8f2322cc37d317ff8ccfc4b675d`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet5.bin	964 bytes
`xlm_sheet_06.bin` `9546b38eaf75fa2c0d2b9c568cc5cba1bb59a95b391668fa432a2be08c195bcf`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet6.bin	650 bytes
`xlm_sheet_07.bin` `62df625d44e0eb5a196e883fba76b1e7243ad8cf79b1303b4b2e74c9f0db97ac`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet7.bin	423 bytes
`xlm_sheet_08.bin` `861f04f1095e7942cb333088a674476c30702f97a737f71c0139aa7a13b90a77`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet2.bin	754 bytes
`xlm_sheet_09.bin` `8301bc5278f0fa8a1f30b666f2bae149b2af7f7e8725fc411f414d663b46ea68`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet3.bin	679 bytes
`xlm_sheet_10.bin` `987c911348779e2ffc43c7db23b3310492dcbfccbd081b8f655607c24dbe81e5`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet4.bin	679 bytes
`xlm_sheet_11.bin` `94af29dac79b320dd48dd0c00ef963dea5cdfa0950ab7c96c958da08ff885679`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet8.bin	757 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.