Office (OOXML) / .XLSX malware analysis — malicious · b4f058f98fe291fd

MALICIOUS

Office (OOXML) / .XLSX

76.5 KB Created: 2021-10-27 10:31:49 UTC Authoring application: Microsoft Excel 12.0000

MD5: 2f0849c22b10a481c04657fe305cc584 SHA-1: 98633e6c7e833f0c7a4a7b0721fa542abe9f600b SHA-256: b4f058f98fe291fd6e8fa110245f0095d041691c07741f1f04931bb80f995279

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The critical heuristic firing indicates the presence of an Excel 4.0 macro sheet. Analysis of the macro sheet reveals a path that appears to be an attempt to execute a program from a specific directory. This suggests the macro is designed to download and execute a second-stage payload. The macro sheet contains a hardcoded path 'C:\ProgramData\fjkgdjkngfdg\fjkgdjkngfdg' which is likely used to stage or execute malware.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `8aeb6e43de9e21400ced3cb136dea24b783887e07646c40d7d4f98f5410cb9b1`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	3376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.