Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 8a2d47371bb980f9…

MALICIOUS

Office (OOXML) / .XLSX

197.6 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: ad110a9104b8eccfbce2f1107ad719fc SHA-1: 83dd98054cd97a78be182eb4f27b4a5202136819 SHA-256: 8a2d47371bb980f9742d08127d88416af8927f76dd5f33d99fd70069a1bcc310
310 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic, Visual Basic for Applications, and VBScript T1204.002 Malicious File

This XLSX file contains multiple Excel 4.0 macro sheets, including an Auto_Open defined name, which is a common technique for executing malicious code upon opening. The macros utilize dangerous functions like FORMULA, GOTO, and HALT, and contain strings indicative of downloading payloads via WinAPI calls such as URLDownloadToFileA. The presence of these elements strongly suggests a downloader functionality, although the specific payload is not discernible from the static analysis.

Heuristics 7

  • Excel 4.0 macro sheet (6 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, GOTO, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS
    Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
  • ClamAV: Xls.Downloader.GreenEnable052-9863734-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.GreenEnable052-9863734-1
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 6 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
e26278d9df62929caddc39c2675d1a93c805965a35896b4c4240468b728373e2		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 1190 bytes
xlm_sheet_01.xml
729155f58b4793fd72a684893acfb74da6adebe8c1815b3bcb1e0a3e6f4fc60b		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 2901 bytes
xlm_sheet_02.xml
c627eb02b6049ab2ba980fb2219c111f1c6d4332ae6ea02091532d722ca536f0		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 2238 bytes
xlm_sheet_03.xml
b799fe19146b2d88a059ba2f416e9e108ec4d3802659d338d7b81f2d62a387a0		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 1463 bytes
xlm_sheet_04.xml
2606388a7d493e2de5e08d5a58acd765f1fb51cd2e623e5a4a8ae97e15cd9950		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml 1469 bytes
xlm_sheet_05.xml
f4a17b32653b96ae29aa1557978f76395ad96653818e54b0c717a27657960068		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1476 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.