Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 bbf7ec6941839f06…

MALICIOUS

Office (OOXML) / .XLSX

96.9 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: e24b4670bc9917e7612c37d540612be2 SHA-1: 9bbb7ef89c43d81f62e612830800fc7dc9e042bc SHA-256: bbf7ec6941839f06df8c1e4c817524e8259fac56ab404720259c2ed9e6dbefbb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Service Execution: Service Execution

The file is an Excel document containing multiple Excel 4.0 macro sheets, as indicated by the OOXML_XLM_MACROSHEET and OOXML_XLSB_INTL_MACROSHEET_IN_XLSX heuristics. These macro sheets are designed to execute arbitrary code upon opening. While the specific commands within the macro sheets are heavily obfuscated and truncated in the provided evidence, the presence of these macro sheets strongly suggests an attack pattern focused on initial execution and payload delivery. No specific IOCs like URLs or hashes were extracted from the macro content.

Heuristics 2

  • Excel 4.0 macro sheet (7 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
c37fba766abd6d156918a643e026b438f9eb0eaa225c144756cd2a5c6fda4519		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 484 bytes
xlm_sheet_01.bin
22bba77ccfeebe8e5c4e883612c26774cb0b357b34f9b8f821432aab3ada7cb3		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet6.bin 484 bytes
xlm_sheet_02.bin
a54cfa9ba41e5598d383926a84d25941debd28f24c9934cba5a5f56d9097ca69		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 2076 bytes
xlm_sheet_03.bin
cc1fea1c5ed0ee9ba6377487e147436c2cdc066a48105c36d0aca3c1995417f4		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 484 bytes
xlm_sheet_04.bin
fc16eb2a62981f93b25a935d0a0fb49d33f90429021cb43f6e7f301424f17a92		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 484 bytes
xlm_sheet_05.bin
e1559372370dc0c7c16b816f71c2d5acc0e30cc8878cffe531ed647dae733bb2		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet5.bin 484 bytes
xlm_sheet_06.bin
1f384d37a830103e6e157bda73c1f5bba7a0a8db52a6ba5a8d8560d3886df131		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.