Office (OOXML) / .XLSX malware analysis — malicious · b1a34acf8a1c6263

MALICIOUS

Office (OOXML) / .XLSX

49.2 KB Created: 2021-10-27 10:31:49 UTC Authoring application: Microsoft Excel 12.0000

MD5: bf0b48c5cf97982ff5896b8d39fab529 SHA-1: 12582dffcc622f7a880c33a903b93c85309cab5e SHA-256: b1a34acf8a1c62634e07d67a960e41cb62de0d2da9c25bfdae2fd680a329ee30

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Service Execution: Service Execution

The sample is an Excel file containing a macro sheet, triggering the OOXML_XLM_MACROSHEET heuristic. The embedded macro sheet contains obfuscated commands that, when deobfuscated, reveal the use of 'wmic process call create' to execute a file named 'excel.rtf' located in the 'C:\ProgramData\' directory. This indicates an attempt to download and execute a second-stage payload.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `2d3d18114ea97d68667a5c17ac2f44be8da066dae5455498dc4df8816da6ed71`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	67688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.