Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 913ab0615e439410…

MALICIOUS

Office (OOXML) / .XLSX

70.9 KB Created: 2021-04-18 18:20:25 UTC Authoring application: Microsoft Excel 16.0300
MD5: a5afd0dc330ee0d10f0673d8a85daa44 SHA-1: ff5448ee664428d67012bd77a91611f2c04879dc SHA-256: 913ab0615e43941038a10994d66a1bd9fa57e89822176e92153113fcee34a67c
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is an Excel document containing an Excel 4.0 macro sheet. This type of macro can be used to execute arbitrary commands, which is a common technique for initial access or payload delivery. No specific family could be identified, but the technique is indicative of a downloader or initial compromise stage.

Heuristics 1

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
ff1f59b4853d6c606374ac88cbee52b28b032fbacfe3f3b977566955bd289fb9		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 95042 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.