Office (OOXML) / .XLSX malware analysis — malicious · afffd9cf2aac73ff

MALICIOUS

Office (OOXML) / .XLSX

90.8 KB Created: 2021-10-27 10:31:49 UTC Authoring application: Microsoft Excel 12.0000

MD5: a52174d8332c6bb2ef5b2943137bdc1c SHA-1: 3547581e58af61139262ad196405723d05c0ccec SHA-256: afffd9cf2aac73ff251289dd7b51b0b89f24c463f3401ab8739f41ebf2e09b3d

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 Command and Scripting Interperter T1204 User Execution

An Excel 4.0 macro sheet is used to execute commands that construct the path 'C:\ProgramData\excel.rtf' and subsequently call Windows Management Instrumentation (WMI) processes to create and run this RTF file. This behavior suggests an attempt to deliver additional payloads through user execution of the crafted RTF document. The presence of critical heuristics related to OOXML XLM macrosheets supports this assessment. However, due to obfuscation in script content, specific details about payload delivery remain uncertain.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `15a543f0cdca4dc5737a9d756a300714da3c58025c35fdea97e0525712acc7ba`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	156596 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.