Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 afcb7a53d2dd39ad…

MALICIOUS

Office (OOXML) / .XLSX

1.21 MB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-03-28
MD5: f19461e1271567f0784c5fd3faafc18a SHA-1: aa0bd3caf52c3dcded920a7373512f22e68d39db SHA-256: afcb7a53d2dd39ad16c4d3afbb1ce1620079d48817da18edb2b38219569b86f2
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1105 Ingress Tool Transfer

The file contains critical Excel 4.0 macro sheet heuristics, indicating the presence of macro code. The extracted script content explicitly shows calls to 'URLDownloadToFileA' and specifies download locations such as 'C:\ProgramData\Plo.ocx', 'C:\ProgramData\Plo1.ocx', and 'C:\ProgramData\Plo2.ocx'. This strongly suggests the macro's intent is to download and execute a second-stage payload from the listed URLs.

Heuristics 4

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.
  • Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS
    Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
5f971991f17a29f320aca38c3ea9be7be7f38c792189b5577d4dd18c0df702e3		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject3.bin 2263040 bytes
ooxml_oleobject_00_ole10native_00.bin
f91e019a21711638b717a2ce53825ef4a6d329d61437fb2fa1d7b337ed21c127		 ole-package OOXML xl/embeddings/oleObject3.bin Ole10Native stream: Ole10Native 2243012 bytes
emf_00.emf
15c48b425c8448885874f68152f5eb36fadbba477cd9f47355be63084dbfe115		 ooxml-emf OOXML EMF part: xl/media/image1.emf 4486440 bytes
xlm_sheet_00.bin
c9c4b9e952ca4bc5013aeee355f658cd8fe249edbc2914ac637205f8f9edadc9		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 2920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.