Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 c2880873a9fa9e09…

MALICIOUS

Office (OOXML) / .XLSX

125.0 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: f34c429e68f39a3c1b65950d3aa2b98f SHA-1: ada0cffe9f6b08869e7a9482923f0b308b149d8d SHA-256: c2880873a9fa9e0988c780f624ea8f023b9fc285f7512cef3e709f2377180748
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an XLSX file containing multiple Excel 4.0 macro sheets, as indicated by the OOXML_XLM_MACROSHEET and OOXML_XLSB_INTL_MACROSHEET_IN_XLSX heuristics. The ClamAV detection 'Xls.Downloader.GreenOffice01223-9937701-0' strongly suggests a downloader functionality. Although the macro content is truncated and obfuscated, the presence of macro sheets and the downloader detection point to an attack pattern where the macros are used to fetch and execute additional malicious content. No specific URLs or executable payloads were directly extracted from the provided script excerpts.

Heuristics 3

  • Excel 4.0 macro sheet (8 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.
  • ClamAV: Xls.Downloader.GreenOffice01223-9937701-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.GreenOffice01223-9937701-0

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
4be865fd99cf252a0d9292df6f9b6b847dce5f89794eba2f39c31b1a2763d6bb		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 2125 bytes
xlm_sheet_01.bin
e296f2661d5201bcd027cded81b962b184563d9b9e16833ac2b90da47453f605		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 428 bytes
xlm_sheet_02.bin
92b48ebc71415177387c629e42d5920a80724eb19c01f9a6c41221dcdd24c20f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 428 bytes
xlm_sheet_03.bin
f21549aa5e6b6c2960b342bb480ff6dfa65dd312754ef1eb0d2547088504ef56		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 428 bytes
xlm_sheet_04.bin
e307e991028fecd952b05c7d6d1da1b295486d57f601515e097898d852f1a1f1		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 428 bytes
xlm_sheet_05.bin
371f3260d9ae90eddd3f710b3b54b2e62a8faaf17da318ebf3524f364677e89a		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet5.bin 428 bytes
xlm_sheet_06.bin
6a04cb0ed4ec0a1e8031ed983ae1600915c967cc73f4dc254df534a62f2fd8a4		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet6.bin 428 bytes
xlm_sheet_07.bin
b9467a0dcf66be7c8ff6e1eb2df090f484b30aa99d10acd7256c13d46be04059		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet7.bin 428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.