Office (OOXML) / .XLSX malware analysis — malicious · a349079203802303

MALICIOUS

Office (OOXML) / .XLSX

82.2 KB Created: 2021-10-27 10:31:49 UTC Authoring application: Microsoft Excel 12.0000

MD5: 386a41814ad4e88356707693a491d5a7 SHA-1: 098c568ccae2e428647d27789cffa83f5683af96 SHA-256: a3490792038023037b21a3d39dcf0c5a9ac76400a082a6c992e1b8dec8044f4e

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The primary heuristic indicates the presence of an Excel 4.0 macro sheet, which is often used to execute arbitrary commands. The extracted script content, despite obfuscation, reveals a path that appears to be an attempt to write a file named 'excel.rtf' to the 'C:\ProgramData\' directory. This suggests the macro is likely involved in dropping a second-stage payload or establishing a foothold on the system.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `79d3c44add37d325f38f66df2a6e8a05ff4af66e902a280bff7ab33043e56497`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	108650 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.