Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 8af6e6ec8b4d613b…

MALICIOUS

Office (OOXML) / .XLSX

146.1 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-04-06
MD5: 02456456ee0790ce555b503dc7865d86 SHA-1: 6f4b9910fa6fd310e666d2bd1c9bcbf5433a50f6 SHA-256: 8af6e6ec8b4d613b784142a302ad1e662230be7676ada1f4291b188eec3bb705
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications

The sample is identified as malicious by ClamAV with the signature Xls.Downloader.GreenOffice01220-9937699-0. Static analysis reveals the presence of multiple Excel 4.0 macro sheets within an XLSX file, indicating a downloader or droppper functionality. The macros are likely responsible for fetching and executing a secondary payload.

Heuristics 3

  • Excel 4.0 macro sheet (13 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.
  • ClamAV: Xls.Downloader.GreenOffice01220-9937699-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.GreenOffice01220-9937699-0

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
5cd0c206d1c0ea28c3457d4282c01ef21ffe4b14957e3e3ac64cfebf3d7de8dc		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 363 bytes
xlm_sheet_01.bin
58e234b9c9d686e8c506e684fef74670c2535741b5e96701437599bf84baf65d		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin 1464 bytes
xlm_sheet_02.bin
fa336e04758c7bd5cad2da8d21bb8f5151827145d71e270b147e29611e497766		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 11832 bytes
xlm_sheet_03.bin
9394f61c80902255d30d3ad77b7529d71b7f5059409538e1568d5f76b746eee7		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.bin 82807 bytes
xlm_sheet_04.bin
9c6bdc3cf36bf03dd21b9f39c0a613d23b196aad0543052f150cb6732a531075		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.bin 17937 bytes
xlm_sheet_05.bin
8b7715d6b127c6c810bd615d8b9e96243c5d151d94f6a5bf4a2176c1b5d251d8		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.bin 37303 bytes
xlm_sheet_06.bin
c687cc03a7cddd68b7e16fdccac8a1cf5755614d3cc0f30368e5ca6dd1a50c61		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.bin 65714 bytes
xlm_sheet_07.bin
9351a7dcb547693bb072da0d5ed56b914dbe3136b1d56394996b14300bc9e66a		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.bin 80820 bytes
xlm_sheet_08.bin
8f1fb8f6a9d6da4075b35bc189944cc736c2cda6d1350dfe1796822f1f078d15		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.bin 306255 bytes
xlm_sheet_09.bin
918d790ea30b947f53c24ec6c93580866dfd1c88cb8d916cfa8524a5f5053d7d		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 2807 bytes
xlm_sheet_10.bin
c567b560932ba7c631862cd9a5633c21d3dc9a89eb01c427c064f8d90064130e		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 2275 bytes
xlm_sheet_11.bin
7d5bc712f983bb5eeb78a6f77be5eca2f46f336bb5ebc9442788dca7e9c8b091		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.bin 463 bytes
xlm_sheet_12.bin
520a06a1f576b348abae440ac838037a218552f2e3d2ee2a65c276ec62337831		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 5345 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.