Office (OOXML) / .XLSX malware analysis — malicious · 92968dac653703cf

MALICIOUS

Office (OOXML) / .XLSX

114.4 KB Created: 2021-02-03 15:28:44 UTC Authoring application: Microsoft Excel 16.0300

MD5: 7b28d43358cd7d11c8f15e586dc4ff86 SHA-1: 5f2c6005500ae64b5128036af6aaa612351afd64 SHA-256: 92968dac653703cf52d30ee5136d51acf6bf222ff14ea601ba0b7734b33b93ff

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.005 Visual Basic

The file is identified as a malicious Excel 4.0 macro sheet, disguised within the package structure. This indicates an attempt to bypass security controls through obfuscation. The macro sheet itself contains obfuscated code, making it difficult to determine the exact payload or execution flow without further dynamic analysis. The primary attack pattern involves leveraging macro execution within an Office document.

Heuristics 2

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
Excel 4.0 macro sheet stored under disguised package path critical OOXML_XLM_DISGUISED_RELATIONSHIP

OOXML package declares an xlMacrosheet relationship whose target is outside the canonical xl/macrosheets/ path. Excel follows the relationship type, while path-only scanners can miss the macro execution surface.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `3fd2c5ac9f1339b006d4b8558a66e92632e93690860205c61803635b864cb6a6`	xlm-macrosheet	OOXML XLM macro sheet: xl/xls/sheet1.bin	1007414 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.