Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 bc96c38e3f85c439…

MALICIOUS

Office (OOXML) / .XLSX

33.8 KB Created: 2020-04-29 13:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 31927dbd3bfae76511681911beca4348 SHA-1: 6c6680659b09d18ccab0f933daf5bf1910168b1a SHA-256: bc96c38e3f85c43923a37f57c096eb5b3913b516dbcb11b46cb9cfd0c1d167ce
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Service Execution: Service Execution T1059.001 PowerShell: PowerShell T1204.002 Malicious File: Malicious File

This XLSX file contains multiple Excel 4.0 (XLM) macro sheets, which are rarely used in legitimate documents. The heuristics indicate the use of dangerous XLM functions such as CALL, RUN, FORMULA, and HALT. These functions are typically used to download and execute arbitrary code from external sources, bypassing traditional VBA security measures. The presence of hidden sheets further suggests an attempt to conceal malicious activity.

Heuristics 5

  • Dangerous XLM formula APIs: RUN, CALL, HALT, FORMULA critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • Excel 4.0 macro sheet (5 sheet(s)) high OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 5 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
d286de097658367aefac32ee6fe426b03b50af356f8b56094aaed39be307edbd		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 61161 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s).
xlm_sheet_01.xml
14d183c1ac1270dc4e9d0ce2317894b85c465a49611fcf18e0e3928875b55011		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.xml 37531 bytes
xlm_sheet_02.xml
27db94ea837734f57fc5208f2670f0d97dce18db72ad17cc1384cf213fb46ba9		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.xml 1086 bytes
xlm_sheet_03.xml
56ff7f75a2cbed406c8c3f1b863a1290dd4374f43ce733f76ee7d015ea94d6fd		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.xml 1086 bytes
xlm_sheet_04.xml
095b278e16328473a06a8775aa636956de9034e66a07cbe00f446df7a979e773		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet5.xml 1086 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.