Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 b60a01f1755aaa3c…

MALICIOUS

Office (OOXML) / .XLSM

476.0 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 15.0300
MD5: d119fe53c72dba850720cdf575b07831 SHA-1: 878132c7320387353553b22a19f0c75e436a7f85 SHA-256: b60a01f1755aaa3ce9f8b47699a7946ea174a4eb35cc1d1613597c15e1a9f640
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an XLSM file containing Excel 4.0 macros. The document body and heuristics indicate that the macros are designed to download and execute a file from the URL http://149.3.170.144/gt-hot/web.exe. The presence of a NOP-equivalent sled suggests potential shellcode or exploit activity.

Heuristics 3

  • Excel 4.0 macro sheet (1 sheet(s)) high OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x61 bytes
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://149.3.170.144/gt-hot/web.exe

Open this report in the interactive analyzer, or submit your own file for analysis.