Office (OOXML) / .XLSX malware analysis — malicious · a411a685a65e775e

MALICIOUS

Office (OOXML) / .XLSX

74.6 KB Created: 2021-10-27 10:31:49 UTC Authoring application: Microsoft Excel 12.0000

MD5: 583db5c5a22c4d9ba6901b269eab7519 SHA-1: 1603339e11a04c8aceb8a0ce1008d638e296c4c6 SHA-256: a411a685a65e775ea7018867b53712e15cfbde915814218e478f461e77acb96b

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample contains an Excel 4.0 macro sheet, which is a strong indicator of malicious intent. The macro sheet contains a command that reconstructs to 'wmic process call create 'mshta C:\ProgramData\excel.rtf''. This command is designed to download and execute a second-stage payload from the specified path. The obfuscated nature of the macro sheet and the use of wmic and mshta suggest a downloader or initial access mechanism.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `0714c66756961af754afacecfd16867fd5b73a375359cbefdaeb8d5d52b4ca9d`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	156742 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.