Office (OOXML) / .XLSX malware analysis — malicious · bf175617c91f7412

MALICIOUS

Office (OOXML) / .XLSX

115.9 KB Created: 2021-03-16 13:14:06 UTC Authoring application: Microsoft Excel 16.0300

MD5: 7068ea753ec6c1c0225907d332c9d6c7 SHA-1: f0033c912a28c89749f3631ac5144388f1b9ab1a SHA-256: bf175617c91f7412274874e575b61e79eb0256cdd98d181294f0bff6352590f2

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample was identified as malicious by ClamAV and contains Excel 4.0 macros. The macros appear to be responsible for downloading a file from the URL 'http://gropup.xyz/camo/f/f.dll'. This indicates the file's primary purpose is to act as a downloader for a second-stage payload.

Heuristics 2

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
ClamAV: Doc.Downloader.Trojan-bf70f023603538ee-bf70f023603538ee-9950269-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Trojan-bf70f023603538ee-bf70f023603538ee-9950269-0

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `a1202767d857c496ddf2c7ea0d33d22cd5f21c8fd238def82a63d624657f1052`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	3386 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.