Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 bd657afb43737f1d…

MALICIOUS

Office (OOXML) / .XLSX

81.3 KB Created: 2021-10-27 10:31:49 UTC Authoring application: Microsoft Excel 12.0000
MD5: 8f3851e0e2950ab509c1d422d7c51488 SHA-1: 08fba263ba90c47b595c13240e7215fc1e8137a1 SHA-256: bd657afb43737f1da0cceccdd7b702a71070d188ab59b03d79544ddf95f7bafd
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The critical heuristic firing indicates the presence of Excel 4.0 macros within the XLSX file. While the macro content is heavily truncated and obfuscated, the presence of such macros is a strong indicator of malicious intent, often used to download and execute further stages or exploit vulnerabilities. The file's metadata shows it was created with Microsoft Excel 12.0000.

Heuristics 1

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
32180e6b915546b5603b3016812e8b21aa6689592cb3cf5db0b6b3cca59c267a		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 151687 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.