Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 c5a3596beea95ed9…

MALICIOUS

Office (OOXML) / .XLSX

268.4 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-03-02
MD5: c3ae9aa53987b4be5ef9ad6caef211f7 SHA-1: bfe929c33031444e9c9d03d9a059f448730e0d3d SHA-256: c5a3596beea95ed97e985602fe1763f2a8a036f0a6c3b2a24445e4a1008197bf
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Service Execution: Visual Basic

The file is identified as malicious due to the presence of multiple critical heuristic firings indicating Excel 4.0 macro sheets embedded within an XLSX file. The ClamAV detection name 'Multios.Malware.Agent-9967226-0' further confirms its malicious nature. The embedded XLM macro sheets, though heavily obfuscated and truncated in the provided excerpts, are characteristic of older Excel macro abuse for executing arbitrary commands or downloading further payloads. The primary attack pattern involves leveraging these macros for initial execution.

Heuristics 3

  • Excel 4.0 macro sheet (10 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.
  • ClamAV: Multios.Malware.Agent-9967226-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Multios.Malware.Agent-9967226-0

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
1434b2bef33f9d8608b044437f48428e0298120e7017f631a2f33ba56aa6c752		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 322 bytes
xlm_sheet_01.bin
04a1c8c42066978968a402f8a04ce6a5a7673ecef4b9debc084649b52b747f64		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin 2151 bytes
xlm_sheet_02.bin
765804c19d50bdd3bcc0391b1b9907ad74cc8149c930eb53ac36c0ed226f6de5		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 484 bytes
xlm_sheet_03.bin
39bea9fab1c795173046b51b75a53296ad66f29d76b487594d693a8390fbe92c		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 484 bytes
xlm_sheet_04.bin
a6b98894165c30b3d44d75e60bb0a628e7ecada95b399f9412700fb2b0674464		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 428 bytes
xlm_sheet_05.bin
0d7e2c72dfab2ccd23720ac96f72180b9d1cef3452c51624561364c9943be252		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 484 bytes
xlm_sheet_06.bin
c06f64468ac5923dcab4a106464d68314b609b115aa2e65526acb7d8e698561f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet5.bin 484 bytes
xlm_sheet_07.bin
e78a0903c52a61f894d5702c5711f1a752800c144bcfc4cc3d9ea865cf5194b2		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet6.bin 428 bytes
xlm_sheet_08.bin
3f0408b1671e6462403801fc8b3914288e73bf7bc2458e5f2ed94327d170c160		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet7.bin 428 bytes
xlm_sheet_09.bin
84adc44516a7e45de092091efae98c83b606d8196e202b922a66afc0dabdceb0		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet8.bin 348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.