Office (OOXML) / .XLSX malware analysis — malicious · 84fb0863381ae8eb

MALICIOUS

Office (OOXML) / .XLSX

94.6 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 16.0300

MD5: 5f5f1f8f79787e456bf8c1e6a52ef26a SHA-1: 7e7a842471e47ef453a2cb718a05a936f7a3c3b1 SHA-256: 84fb0863381ae8ebb32209dd0b9eb39d75c806fbb38fd7f1c9572783642b09b9

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical heuristic firing indicates the presence of Excel 4.0 macros, which are known for malicious activity. The embedded script contains strings that appear to be URLs, specifically 'http://ghenrope.rue', suggesting the macro's purpose is to download and execute a second-stage payload. This is a common technique for initial access via spearphishing attachments.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `1d86b3b52f2ca77e486b256d7c7d5bcd39881af7c02f6edc2a9373cc9635903a`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin	9817 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.