Office (OOXML) / .XLSX malware analysis — malicious · aaceb007e5336973

MALICIOUS

Office (OOXML) / .XLSX

921.6 KB Created: 2013-01-17 05:51:00 UTC Authoring application: Microsoft Excel 12.0000

MD5: 42c06348d9490f3282d9cb22ef43d5a9 SHA-1: 137f8ac5c2cd86f3bdcca78e52e170d4b4f49d1b SHA-256: aaceb007e5336973b063d8c22ba4ca8d6dbd9f689b029f3962d2f627c36dcfeb

78 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1137.006 Office Application Build Process

The file is an Excel spreadsheet that uses a fake invoice lure to entice users. It contains embedded OLE objects, which are often used to deliver malicious payloads. The external relationship points to a UNC path, suggesting a potential internal network compromise vector or a lure document hosted on a network share.

Heuristics 5

External relationship high OOXML_EXTERNAL_REL

External target in xl/externalLinks/_rels/externalLink1.xml.rels: file:///\\Renqian\资料2\工作资料\工作资料\运仰光面辅料\宁波至仰光\2019\01.30\报关单据-1.30yorkoverseas 远东.xlsx
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 8

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `d3558c51523442bdfca15b36d316456b62f27a8c7535055340a7f856b2954d10`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/oleObject1.bin	61952 bytes
`ooxml_oleobject_00_ole10native_00.bin` `c9f2e4678939482ca1e0a869799a65a32c4b0b660d6eb5bbfb039b60a0a008b7`	ole-package	OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native	60001 bytes
`ooxml_oleobject_01.bin` `cbc369351f37f2ccef6d30e6b5facbfbfb5cb9f4b2cd0486913561150263bdb7`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/oleObject2.bin	103936 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.82, consistent with packed or encrypted content.
`ooxml_oleobject_01_ole10native_00.bin` `37dfa4e079693283aba4be1ba4951142b14571dcbe4976483cad914086e97748`	ole-package	OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native	101664 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.88, consistent with packed or encrypted content.
`ooxml_oleobject_02.bin` `36acf696165ce9cc8eb885a65dcee681ab16f15cb0f2cd7352bd229c1595740c`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/Microsoft_Office_Excel_97-2003_Worksheet1.xls	493568 bytes
`emf_00.emf` `ea7b5b76898c176b82e7a1f490975ce3aa2da52a208fd3084b665c098adfa7db`	ooxml-emf	OOXML EMF part: xl/media/image3.emf	7544 bytes
`emf_01.emf` `6b5bccc8f2f4ff5b6f97a936500e797fd0f1a0620c7100ae39c87172d55b5d8e`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	238184 bytes
`emf_02.emf` `45e99d9a0ce4f236836aa50ded53b129890183b02af02ceff5889c7c7f5bfdf4`	ooxml-emf	OOXML EMF part: xl/media/image2.emf	7448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.