Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 8fad458b85068923…

MALICIOUS

Office (OOXML) / .XLSX

197.6 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: a547d8658714b664dc5cc76fe4601f89 SHA-1: 6e16e11a5e751a134a6986f1727edf77e22a46e3 SHA-256: 8fad458b85068923ad566a53a0971f8266771d508c66dbbf4c1aa15c5b53870e
310 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File T1105 Ingress Tool Transfer

This XLSX file contains multiple Excel 4.0 macro sheets, including an Auto_Open defined name, which is a common technique for executing malicious code upon opening. Critical heuristics indicate the use of dangerous XLM formula APIs like FORMULA, GOTO, and HALT, along with strings for WinAPI functions such as URLDownloadToFileA and DownloadToFileA. These point to the file's likely intent to download and execute a second-stage payload.

Heuristics 7

  • Excel 4.0 macro sheet (6 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, GOTO, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS
    Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
  • ClamAV: Xls.Downloader.GreenEnable052-9863734-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.GreenEnable052-9863734-1
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 6 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
e26278d9df62929caddc39c2675d1a93c805965a35896b4c4240468b728373e2		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 1190 bytes
xlm_sheet_01.xml
729155f58b4793fd72a684893acfb74da6adebe8c1815b3bcb1e0a3e6f4fc60b		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 2901 bytes
xlm_sheet_02.xml
c627eb02b6049ab2ba980fb2219c111f1c6d4332ae6ea02091532d722ca536f0		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 2238 bytes
xlm_sheet_03.xml
b799fe19146b2d88a059ba2f416e9e108ec4d3802659d338d7b81f2d62a387a0		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 1463 bytes
xlm_sheet_04.xml
2606388a7d493e2de5e08d5a58acd765f1fb51cd2e623e5a4a8ae97e15cd9950		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml 1469 bytes
xlm_sheet_05.xml
f4a17b32653b96ae29aa1557978f76395ad96653818e54b0c717a27657960068		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1476 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.