Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 c71a44c8689de4a9…

MALICIOUS

Office (OOXML) / .XLSX

61.3 KB Created: 2021-10-27 10:31:49 UTC Authoring application: Microsoft Excel 12.0000
MD5: 26cacc389140623e23117d0159e27ce3 SHA-1: a039d63157b2b8520abbe5ad7bd71f542edc4abc SHA-256: c71a44c8689de4a94ccc9fda5a9763f6d2f61b75c2023f21fcfea4df61869646
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The critical heuristic firing indicates the presence of Excel 4.0 macros within the XLSX file. Analysis of the embedded macro sheet reveals attempts to execute commands, specifically referencing a path that appears to be an executable: 'C:\Program Files\Common Files\System\msadc.exe'. This suggests the macro's purpose is to launch a malicious executable, likely for further stages of an attack. The macro content is heavily obfuscated, limiting deeper analysis and thus impacting confidence.

Heuristics 1

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
a1dd242c6b5a9283d7e16c0d0a145a4bc4b6862c9874f2d22993350bd8573c1b		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 6626 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.