Office (OOXML) / .XLSX malware analysis — malicious · 84c97aa3684436f2

MALICIOUS

Office (OOXML) / .XLSX

81.3 KB Created: 2021-02-26 07:53:41 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-03-01

MD5: 1861de12f19a5a573df918181469c608 SHA-1: 4bc185fded7e20a77ffe567e094865bee4a0279c SHA-256: 84c97aa3684436f2f8a774495d69b0c768ec95f6e8335bfbc54f1c86dde6507e

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is an Excel spreadsheet containing Excel 4.0 macros, which are known to be used for malicious purposes. The critical heuristic firing confirms the presence of these macros. While the macro content is truncated, the presence of XLM macros strongly suggests an attempt to execute arbitrary commands, likely for downloading and executing a second-stage payload. The specific commands or URLs are not visible due to truncation.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_sheet_00.bin xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 4569 bytes

Filename	Kind	Source	Size
`xlm_sheet_00.bin`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	4569 bytes
SHA-256: `85d73dd5f12600aaaafe62556c3e98e0d7686b6e8e4432cce7c7e203033609cd`
Preview script First 1,000 lines of the extracted script � � � @ �� Q � % �� & � � ] @ d � $ m m m � � % �� & � �� , � < I) < �? $ � � % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & ! , % �� & # , % �� & % , % �� & ' , % �� & ) , % �� & * , % �� & + , % �� & , , % �� & - , % �� & . , = * I @ #/ # I @ #. #% @ % �� & / , % �� & 0 , W D @ C I @ #. # #D #) @ I @ #1 #* @ % �� & 1 , % �� & 2 , % �� & 3 , % �� & 4 , % �� & 5 , % �� & 6 , % �� & 7 , I 6 I @ #< # #$ #- I @ #3 # @ % �� & 8 , % �� & 9 , % �� & : , % �� & ; , % �� & < , % �� & = , % �� & > , O < I! @ #C # # #' #0 I @ #9 #" @ % �� & ? , % �� & @ , % �� & A , % �� & B , % �� & C , % �� & D , > + Z # �: % �: ' �: � B � % �� & E , % �� & F , : ' AJ @ 0 0 : 0 0 : 0 1 @ B �� % �� & G , % �� & H , D 1 Z 3 �Z 6 �Z 8 � B A Q L B � % �� & I , 7 $ # : B �: � B � % �� & J , % �� & K , : ' AJ @ 0 0 : 0 0 : 0 5 @ B �� % �� & L , % �� & M , V C Z �: ! �: $ � : �: �: & � B � % �� & N , % �� & O , % �� & P , % �� & Q , B 6 � � � �� @ +ͪ�@�ل�\ �� VW��F� C`�� N� /��D� �Ϛ��@��[3w� �h�D�pi�= �"� � B��z Z?e�3 S H A - 5 1 2 � B � h� 0ffffff�?ffffff�? �? �?333333�?333333�?% �� s1�c�M� +5�1� & �

SHA-256: 85d73dd5f12600aaaafe62556c3e98e0d7686b6e8e4432cce7c7e203033609cd

Preview script

First 1,000 lines of the extracted script

�  �  �   @      ��������    �      Q           �  %      ��                  & �  �     ]       @   d           � $    m               m   m           �  �  %      ��    & �  ����  ,     �  <         I)        <     �?  $	        �  �  %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &   
       ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &   !       ,                              %      ��    &   #       ,                              %      ��    &   %       ,                              %      ��    &   '       ,                              %      ��    &   )       ,                              %      ��    &   *       ,                              %      ��    &   +       ,                              %      ��    &   ,       ,                              %      ��    &   -       ,                              %      ��    &   .       ,                 =           *   I   @  #/   #      I   @  #.   #%     @       %      ��    &   /       ,                              %      ��    &   0       ,                 W           D    @  C     I   @  #.   #
    #D    #)     @   I   @  #1   #*     @       %      ��    &   1       ,                              %      ��    &   2       ,                              %      ��    &   3       ,                          	   %      ��    &   4       ,                              %      ��    &   5       ,                          
   %      ��    &   6       ,                              %      ��    &   7       ,                 I           6   I   @  #<   #     #$    #-     I   @  #3   #      @       %      ��    &   8       ,                              %      ��    &   9       ,                              %      ��    &   :       ,                              %      ��    &   ;       ,                              %      ��    &   <       ,                          
   %      ��    &   =       ,                              %      ��    &   >       ,                 O           <   I!  @  #C   #     #     #'    #0     I   @  #9   #"     @       %      ��    &   ?       ,                              %      ��    &   @       ,                              %      ��    &   A       ,                              %      ��    &   B       ,                              %      ��    &   C       ,                              %      ��    &   D       ,                
>           +   Z  #    �:  %    �:  '    �:       �   B �     %      ��    &   E       ,                              %      ��    &   F       ,                
:           '       AJ  @     0 0 : 0 0 : 0 1  @   B ��    %      ��    &   G       ,                              %      ��    &   H       ,                
D           1   Z  3    �Z  6    �Z  8    �   B A Q L      	 B �     %      ��    &   I       ,                 7           $   #       :  B   
�:       �      B �     %      ��    &   J       ,                              %      ��    &   K       ,                
:           '       AJ  @     0 0 : 0 0 : 0 5  @   B ��    %      ��    &   L       ,                              %      ��    &   M       ,                
V           C   Z       �:  !    �:  $    �   :      	�:       �:  &   	�      B	�     %      ��    &   N       ,                              %      ��    &   O       ,                              %      ��    &   P       ,                              %      ��    &   Q       ,                
                B 6     �  � � ��                                                                  @    +ͪ�@�ل�\ ���	VW��F� C`�� �N� /���D�  �Ϛ����@��[3w� �h�D�pi�=    �"�
�	B��z Z?e�3    S H A - 5 1 2 � B                                                                  �   h� 0ffffff�?ffffff�?      �?      �?333333�?333333�?%      ��  ��s1�c�M� +5�1� & �

Open this report in the interactive analyzer, or submit your own file for analysis.