Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 c32da6643f80c121…

MALICIOUS

Office (OOXML) / .XLSM

87.5 KB Created: 2020-06-09 18:28:23 UTC Authoring application: Microsoft Excel 14.0300
MD5: 9f2b0660c41b04b780aa280a469c160a SHA-1: c9d931d4d3c882fe270263e86b6d4e7e21426aa8 SHA-256: c32da6643f80c121dddc359855f9e0e56110411fb90f0f988eed33277e945ae9
290 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File T1059.001 PowerShell T1105 Ingress Tool Transfer

This XLSM file contains Excel 4.0 macros, which are known to be used for malicious purposes. The macros utilize dangerous functions like FORMULA, RUN, and REGISTER, and contain strings related to WinAPI functions such as URLDownloadToFileA and ShellExecuteA. The embedded URL https://erpoweredent.at/3/zte.dll is likely used to download and execute a second-stage payload. The presence of regsvr32.exe and rundll32.exe in the document text further suggests execution of arbitrary code.

Heuristics 7

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, RUN, REGISTER, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS
    Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 12 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://erpoweredent.at/3/zte.dll
    • http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
22ad2cc090f5915242e8c9b2fc5d3ce56b32376f3e2e7d48ea073d55df0a3506		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 61142 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.