Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 9f635e8a769dac16…

MALICIOUS

Office (OOXML) / .XLSX

72.3 KB Created: 2021-03-14 21:05:29 UTC Authoring application: Microsoft Excel 16.0300
MD5: 18a30ddb789abef63fcb4584faab7719 SHA-1: e60e2da43be789269fbe744a44950f2d6f57fc7b SHA-256: 9f635e8a769dac16e1aad62fe7d2e9ee5ed7b6ae725044f63e7d8d15919eccdc
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an Excel file containing Excel 4.0 macros. The macros are heavily obfuscated and truncated, making it impossible to determine their exact function or reconstruct any specific commands or URLs. However, the presence of Excel 4.0 macros strongly suggests an intent to execute arbitrary code.

Heuristics 1

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
9154e406d32b0f40b0e7d8bd1b599ef6b8848d8809339485ccbce45733b40e66		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 88880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.