Office (OOXML) / .XLSX malware analysis — malicious · b8226e0691779280

MALICIOUS

Office (OOXML) / .XLSX

721.7 KB Created: 2021-02-03 15:28:44 UTC Authoring application: Microsoft Excel 16.0300

MD5: 4fb331e4e5c6094e731690371687b110 SHA-1: bcecaaba6462550c61f7ed572e2c06ef8f3f378a SHA-256: b8226e0691779280f1cbbcba93d41e01bc26a7ad37c88bc3b835e72c1376a7fe

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.005 Visual Basic

The sample is an XLSX file identified as containing an Excel 4.0 macro sheet, which is a critical finding. The heuristics indicate that this macro sheet is disguised within the package structure, suggesting an attempt to evade detection. No document body or executable scripts were extracted, limiting the ability to determine the exact payload or delivery mechanism. The presence of disguised macros points towards a malicious intent, likely to execute further stages upon user interaction.

Heuristics 2

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
Excel 4.0 macro sheet stored under disguised package path critical OOXML_XLM_DISGUISED_RELATIONSHIP

OOXML package declares an xlMacrosheet relationship whose target is outside the canonical xl/macrosheets/ path. Excel follows the relationship type, while path-only scanners can miss the macro execution surface.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `8f2e932d1d7d50f57f666e08f7daa12f8d900aa11010643b8169b9d4fc5461b8`	xlm-macrosheet	OOXML XLM macro sheet: xl/rws/sheet1.bin	1015032 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.