Office (OOXML) / .XLSX malware analysis — malicious · cdab25c1bc8cb9b0

MALICIOUS

Office (OOXML) / .XLSX

83.9 KB Created: 2021-10-27 10:31:49 UTC Authoring application: Microsoft Excel 12.0000

MD5: 52eb48c0d399fd850e4b66ae72d242c0 SHA-1: 0ab7a1ed7551ff39699ab9e17d3da26175249a4f SHA-256: cdab25c1bc8cb9b018f4575ce3bedab6e498c71c1938cfe2f327feea05ad2897

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The critical heuristic firing indicates the presence of Excel 4.0 macros within the XLSX file. Analysis of the macro sheet reveals embedded strings that, when reconstructed, point to a file path 'C:\ProgramData\Excel.rtf'. This suggests the macro's purpose is to execute commands that likely download and run a secondary payload, potentially disguised as an RTF file.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `c2ec008704aaf034ef9aa45645b17e92e385c46ba1ac24af0d1716a543b10996`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	113765 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.