Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 81e8bc38c93a502b…

MALICIOUS

Office (OOXML) / .XLSM

82.7 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 14.0300
MD5: bb75c4fb9012f2c86321f06a96511d9e SHA-1: e2abe31e535fb6477ef9f568bd27eb72133188a8 SHA-256: 81e8bc38c93a502b8b084892819b912e6f5f845698ca18b081d3be3c87b6eade
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File T1059.001 PowerShell

The file is an Excel macro-enabled spreadsheet (XLSM) containing Excel 4.0 macros. Heuristics indicate the use of dangerous XLM functions like CALL and EXEC, which are commonly used to download and execute arbitrary code. The embedded URL http://prce24izsje03aioy.xyz/grays.gif is highly suspicious and likely serves as the download source for a secondary payload. The document body text appears to be obfuscated or corrupted, but the presence of the URL and the dangerous macro functions strongly suggest a malicious intent to download and run external content.

Heuristics 4

  • Excel 4.0 macro sheet (3 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: CALL, HALT, EXEC critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://prce24izsje03aioy.xyz/grays.gif
    • http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
5c4e3b678b811a1ee69e794607da7cd2a0daec65b4da850455f7aac38414fe0a		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 13146 bytes
xlm_sheet_01.xml
9510b95b704d4ec77ddf10ba99df293174da51707a576c3516c81be75ca88848		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 1025 bytes
xlm_sheet_02.xml
d893f5a8c6ebfc65a4bb2cfd20b69fbe5f7c051f4d39c1d16f2cf0319f995bf6		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 19571 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.