Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 a8a2e8be22be85b4…

MALICIOUS

Office (OOXML) / .XLSM

20.2 KB Created: 2021-03-24 10:31:26 UTC Authoring application: Microsoft Excel 16.0300
MD5: ef665cb1b6b71405248df39c1e4a49dd SHA-1: baf402f1a41e812b7e59888dc6719621c5d2dd39 SHA-256: a8a2e8be22be85b4f151672fc24a5e39ce6e652ac69751d94cc60241480f51f7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications

The file is an XLSM document containing Excel 4.0 macros, indicated by the OOXML_XLM_MACROSHEET and OOXML_XLM_AUTOOPEN_DEFINEDNAME heuristics. The document body text explicitly instructs the user to 'Enable Editing' and 'Enable Content', which are common social engineering tactics to bypass security warnings and allow macro execution. The presence of Auto_Open suggests an attempt to automatically run malicious code upon opening the document. No specific family could be identified, and no external IOCs were extracted.

Heuristics 3

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
c3c5b82da09fa616c76fa453d32b60752d00ad588305536aa6febab9697b3ebe		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 16663 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.