Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 b79c9b08f8a01e10…

MALICIOUS

Office (OOXML) / .XLSX

1.16 MB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-03-29
MD5: 3a9dceb5ddf6679ebaae360a08be4396 SHA-1: 23b45b4f9f385550d07b4f8c860ffc5300a6ad11 SHA-256: b79c9b08f8a01e10b930bd7775a2b185049a910255ec0ebf437cea3fce4c2909
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an XLSX file containing multiple Excel 4.0 macro sheets. These macro sheets are heavily obfuscated but indicate the use of macro functionality to execute commands. The presence of these macro sheets is a strong indicator of malicious intent, likely to download and execute a secondary payload. No specific family could be identified due to the obfuscation and lack of clear indicators.

Heuristics 2

  • Excel 4.0 macro sheet (3 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
emf_00.emf
a12daa770fc1848e39c880d90376e8e5b6814576e9bdbfaa076685fd9b9b2ba3		 ooxml-emf OOXML EMF part: xl/media/image1.emf 6145428 bytes
xlm_sheet_00.bin
94dcae400bad291e7734b3303be72f72bc74b4ef3f7737fe960644bb383a7a69		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 484 bytes
xlm_sheet_01.bin
6b69a539d2d44586cd29d86a91c29f1e2ba8aa4a323b5a4a9f7f0d23cd002d42		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 484 bytes
xlm_sheet_02.bin
46ff111a4683eea3ae97021320d38aa4eb315350d26452c986cde8fd19a80a92		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 2165 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.