Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 93eef024ef7904bd…

MALICIOUS

Office (OOXML) / .XLSX

1.06 MB Created: 2022-04-29 12:58:15 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-05-05
MD5: c57425445655338ff41c4354f81c064d SHA-1: 5404fdab30ebac12c8f0e2414611b0d2625cb747 SHA-256: 93eef024ef7904bd7a65d5b2a8e3e199b3a0af26aace0884ca6b9070f3f56a60
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications

The sample is an Excel file containing Excel 4.0 macros. The macros appear to be designed to download and execute a second-stage payload, evidenced by the construction of file paths such as 'C:\Merto\Byrost\Veonse.OOOCCCXXX' and the inclusion of 'calc.bn'. This suggests a downloader or droppper functionality.

Heuristics 2

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
5710c87c0ed5951c6852f80ad5d7a2bfe1d7ab9b4954e1f5313abfdf14989d6e		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject2.bin 2178048 bytes
ooxml_oleobject_00_ole10native_00.bin
868d36f0a9d7aeaa2ffb938a82fb91f72c660f2eadbb1419b6bf366129718f61		 ole-package OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 2158244 bytes
ooxml_oleobject_01.bin
315fd8ad7c11c70c961ad1fae4c3c361fdf95052617c9fc6614d184eddf494d2		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 2178048 bytes
emf_00.emf
98ad13ab19fe616c71705d232116dd45265aa2320a4376e2a1da561d9e5ad39d		 ooxml-emf OOXML EMF part: xl/media/image1.emf 4316864 bytes
xlm_sheet_00.bin
236919704c792a9766d9c28596efe3f6256ef0e235166f2a6c821fa1af1a403d		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 2501 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.