Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 90c03a8ca35c33aa…

MALICIOUS

Office (OOXML) / .XLSX

93.6 KB Created: 2020-06-09 18:28:23 UTC Authoring application: Microsoft Excel 14.0300
MD5: b36a0543b28f4ad61d0f64b729b2511b SHA-1: bf62dc338b1dd50a3f7410371bc3f2206350ebea SHA-256: 90c03a8ca35c33aad5e77488625598da6deeb08794e6efc9f1ddbe486df33e0c
290 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File T1059.001 PowerShell T1105 Ingress Tool Transfer T1071.001 Web Protocols

This Excel 4.0 macro-enabled spreadsheet contains dangerous functions like FORMULA, RUN, REGISTER, and HALT, which are often used to download and execute payloads. The macro sheet also contains strings indicative of WinAPI calls for downloading files and executing commands. The embedded URL 'https://erpoweredent.at/3/zte.dll' is highly suspicious and likely serves as the download location for a second-stage payload. The presence of 'regsvr32.exe' and 'rundll32.exe' in the document text suggests these legitimate binaries may be abused for execution.

Heuristics 7

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, RUN, REGISTER, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS
    Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 23 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://erpoweredent.at/3/zte.dll
    • http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
22ad2cc090f5915242e8c9b2fc5d3ce56b32376f3e2e7d48ea073d55df0a3506		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 61142 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.