Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 c098e6917b058361…

MALICIOUS

Office (OOXML) / .XLSX

26.1 KB Created: 2020-04-29 13:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: 76225817c2c6fa0ef5fb563510a23193 SHA-1: 40f81c9ee20da4007ea925ff49f069ad7552a601 SHA-256: c098e6917b05836186b8d9d450ddddbca62532bb20fa283d35cfd6d4ed7fbe00
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Service Execution: Service Execution T1204.002 Malicious File: Malicious File

This XLSX file contains multiple Excel 4.0 macro sheets, which is highly suspicious as this macro language is rarely used in legitimate documents. The presence of dangerous XLM functions like RUN, CALL, and FORMULA indicates an intent to execute arbitrary code. These functions are commonly abused to download and execute second-stage payloads, making this a likely delivery mechanism for further malware.

Heuristics 5

  • Dangerous XLM formula APIs: RUN, CALL, HALT, FORMULA critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • Excel 4.0 macro sheet (8 sheet(s)) high OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 8 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
d286de097658367aefac32ee6fe426b03b50af356f8b56094aaed39be307edbd		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 61161 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s).
xlm_sheet_01.xml
9640497c0ff507fe08458309595566fa54a1bbb675ff8c1c4e3fef1166d14956		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.xml 4138 bytes
xlm_sheet_02.xml
60dae18432528a20404b61a5afbd226fe40398fb07b200f305ebfdbc378ee4da		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.xml 1086 bytes
xlm_sheet_03.xml
e328b4b853f296edc165979c8601ca7eb153fdb166e3721efbf428e260bf14c6		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.xml 1086 bytes
xlm_sheet_04.xml
78528101de9b2e78cd9092fc8201aeb512ad77ae0f50fc462186901635e69527		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet5.xml 1086 bytes
xlm_sheet_05.xml
521940ec7df2bbbfebc68e759d4b3cf3c0bfda4af39706e05e954eb5ef8cd4b5		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet6.xml 1086 bytes
xlm_sheet_06.xml
6a8bfb77cef451b893130c9d059fa0a28cd652f611ac364da308a37a298dda3e		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet7.xml 1086 bytes
xlm_sheet_07.xml
d2fedf9d27c4a517d1e3ec1f98966c695db92c569e8c4c3f7f60a30276c08ed4		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet8.xml 1086 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.