Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 9f525d99d27a8f4f…

MALICIOUS

Office (OOXML) / .XLSX

60.9 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: f986fd7eb0bc92d8d18ba5d92dde6ea5 SHA-1: 2e41db1bcec6e4347a1e47f8aeb4a3c549518aca SHA-256: 9f525d99d27a8f4f8590d248a0cc4a899dd7b8f70a196289c958631fdb24fdc8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications

The file is an XLSX document containing multiple Excel 4.0 macro sheets, identified by the OOXML_XLM_MACROSHEET and OOXML_XLSB_INTL_MACROSHEET_IN_XLSX heuristics. The extracted macro content is heavily obfuscated and truncated, making it difficult to determine the exact functionality. However, the presence of these macro sheets strongly suggests an attempt to execute malicious code upon opening the document, likely to download and execute a secondary payload.

Heuristics 2

  • Excel 4.0 macro sheet (7 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
3d22ea942bf0a7753c0e8792cd48f31526b9f6d9528726f6b6a28ef08fca866f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 428 bytes
xlm_sheet_01.bin
5af3ff53dc29ca2ca0a7ab4705ef95ef6208ac4f714a92523fc507162a85b333		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet6.bin 428 bytes
xlm_sheet_02.bin
83f20123a54919e3079ebf306cfd22f3feec36ddef2371548dbf40bed98d7a61		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 428 bytes
xlm_sheet_03.bin
2b1a9e4be69919db94e79f75efca6afc7231026c7cf464e809ea77e7ff71ea30		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 2000 bytes
xlm_sheet_04.bin
ccd86c3655a73b6e243601aa78c74ae2ae2587faa50fb0e84d9eea496fd382c0		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 428 bytes
xlm_sheet_05.bin
ca505b6b249aa3f989b14c19017fd6cef8fc87fc3f97932632c4d776747abba6		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet5.bin 428 bytes
xlm_sheet_06.bin
9646d8bbb80aa71a3fca2bece497fc114e2b96877293bce441cc6c1c05d24285		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.