Office (OOXML) / .XLSX malware analysis — malicious · ac5cbc081ce07f1b

MALICIOUS

Office (OOXML) / .XLSX

66.2 KB Created: 2021-10-27 10:31:49 UTC Authoring application: Microsoft Excel 12.0000

MD5: ef22498a7380ce5b4306bd1494f329ff SHA-1: 752f0d14c533a2b62977413126dcc50e99b3ecc8 SHA-256: ac5cbc081ce07f1b3a55b9a4f1f9be88995919d9612816398e8d11537bdffc16

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is an Excel 4.0 macro sheet, which is a known method for executing arbitrary commands. The macro appears to be constructing a path to an executable file in the Windows Startup folder, suggesting an intent to establish persistence and run a malicious payload. The specific executable path identified is C:\ProgramData\Microsoft\Windows\StartMenu\Programs\Startup\a.exe.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `3e610e7eb3fe61eae5c4c1138bb520fc9cabdc3023986d5b58577628774e043d`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	7471 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.