Office (OOXML) / .XLSX malware analysis — malicious · c138ec3129bf56c0

MALICIOUS

Office (OOXML) / .XLSX

69.0 KB Created: 2021-10-27 10:31:49 UTC Authoring application: Microsoft Excel 12.0000

MD5: 8c3f1e5234a7ce5e141708af19d4d9d3 SHA-1: 815c43c9c39d6cfd8f330bba61a0882d88e6f619 SHA-256: c138ec3129bf56c0c78a14c29f8f8ac04f1314db6e076069ad5a3ad4d61a8d32

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The primary heuristic indicates the presence of an Excel 4.0 macro sheet. The extracted script content, though truncated and partially obfuscated, appears to construct a path that resembles a command execution or payload staging location: 'C:\ProgramData\fnsfunsgfgnkjfsgnd'. This suggests the macro is intended to download and execute a second-stage payload.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `9201573f39462788df4d69e0f9bef2899e66c172e29d77da0d62f9955194885c`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	4496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.