Office (OOXML) / .XLSX malware analysis — malicious · 91f55b579a06c498

MALICIOUS

Office (OOXML) / .XLSX

94.6 KB Created: 2021-10-27 10:31:49 UTC Authoring application: Microsoft Excel 12.0000

MD5: 1ed4e7ff74879905e805e1b19a20c807 SHA-1: 384408ca60e39a6d7a4f286d93fcae3fb5aeb345 SHA-256: 91f55b579a06c498c1c23dd4e430f9cff462c2510ca071a0b1bb1d0b7c2670d2

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is an Excel file containing Excel 4.0 macros. The macro appears to be constructing a path to a directory, likely for staging or execution of a downloaded payload. The specific path 'C:\ProgramData\fnsfunSfgRgnKjFsgNd' is indicative of a downloader or initial access stage.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `10eca710658cb569ab45894bb175c41384215e1f5e8256e054b175decf5dfe0f`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	4644 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.