Office (OOXML) / .XLSX malware analysis — malicious · 7fbc7d878232d856

MALICIOUS

Office (OOXML) / .XLSX

114.5 KB Created: 2021-10-27 10:31:49 UTC Authoring application: Microsoft Excel 12.0000

MD5: aa5b492862dc72dc0bf7c851fbffda62 SHA-1: dcf181d1b8f3a24d6e5f1a825b09626ff6ff2cb4 SHA-256: 7fbc7d878232d85647450251e8ed14fe505adb81b9877ac475bfe567a2b669f0

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1204.002 User Execution: Malicious File

The sample is an XLSX file containing an Excel 4.0 macro sheet (xl/macrosheets/sheet1.bin), which is a legacy macro format often used by malware to evade detection. No scripts were extracted in a readable format from the xlm-macrosheet, as the content is binary data. The presence of a macro sheet in a modern OOXML file is highly suspicious and a critical heuristic firing, supporting the a malicious verdict.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `760ab6f836ec01ea483854c43a743ae94180bb44066581d2673ed9c54951d457`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	4870 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.