Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 ab1d6eacd13c7ce7…

MALICIOUS

Office (OOXML) / .XLSX

190.7 KB Created: 2021-02-21 13:33:04 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-03-01
MD5: 10360f4838885037c303c5d1e54a40c1 SHA-1: e22bc05b3ff0891e18f414f0dc468078bf24720d SHA-256: ab1d6eacd13c7ce70852c85f8da60605b30722d728928ee6d65647750061c6f2
60 Risk Score

Heuristics 1

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 2764 bytes
SHA-256: 873cd7d25ab44865a6e864cee26e96869274e7c750c6b0544537086c1cfcdd3f
Preview script
First 1,000 lines of the extracted script
�  �  �   @      ��������    �      (           �  %      ��                  & �  �             @   d           � $                                    �  �  %      ��    & �  ����  ,     �  <         $,  
     <     �?  $	  
     �  �  %      ��    &           ,                      
       %      ��    &           ,                      
       %      ��    &           ,                      
       %      ��    &           ,                      
       %      ��    &           ,                 q    
      ^   I   @  #    #     #	     I=  @  #    #&    #     #'    #%     @  #    #"    #     #       @       %      ��    &   
       ,                 2    
          I   @  ##   #+    #     #          %      ��    &           ,                      
       %      ��    &           ,                      
       %      ��    &           ,                
>    
      +   Z       �:  	    �:       �:       �   B �     %      ��    &           ,                      
       %      ��    &           ,                
:    
      '       AJ  @     0 0 : 0 0 : 0 3  @   B ��    %      ��    &           ,                      
       %      ��    &           ,                
M    
      :   Z       �:  
    �:       �   :       �:       �      B �     %      ��    &           ,                      
       %      ��    &           ,                
:    
      '       AJ  @     0 0 : 0 0 : 0 3  @   B ��    %      ��    &           ,                      
       %      ��    &           ,                
D    
      1   Z       �Z  
    �Z  
    �   Z A F P      	 B �     %      ��    &           ,                 @    
      -   #,      :       �:      
�:       �      B �     %      ��    &           ,                      
       %      ��    &           ,                
     
          B 6     %      ��    &           ,                      
       %      ��    &           ,                      
       %      ��    &           ,                      
       %      ��    &   "       ,                      
       %      ��    &   $       ,                 w    
      d   I   @  #    #     #     #      I=  @  #    #     #     #      @  #    #     #     #     #       @       %      ��    &   &       ,                 D    
      1   I-  @  #    #*    #     #(    #!    #     #          %      ��    &   (       ,                      
       �  � � ��                                                                  @   � g������\�xO� D��
n����&�hZ`C�� }X�cd� ��W(!�u; � ��7������b��    MWb��L�?�u dXk
P    S H A - 5 1 2 � B                                                                  �    � 0ffffff�?ffffff�?      �?      �?333333�?333333�?� .    d   X   X                         r I d 2 %      ��  s'�����E�e���`p�& �