Office (OOXML) / .XLSX malware analysis — malicious · ce35f48e3576a11f

MALICIOUS

Office (OOXML) / .XLSX

81.3 KB Created: 2021-02-26 07:53:41 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-03-01

MD5: ed5575e9d4ed14a76bb27ae2575b9531 SHA-1: 95205a114e419b51999fea199f11066d9ab73c9a SHA-256: ce35f48e3576a11fdb2a8d40d1a8c3858573c8a2d0c4ca445f5b8ccd27399e49

60 Risk Score

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_sheet_00.bin xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 4569 bytes

Filename	Kind	Source	Size
`xlm_sheet_00.bin`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	4569 bytes
SHA-256: `f629aa61effb57aa6086022643e821a190adc4f664bb83f85bbe99b934f6064b`
Preview script First 1,000 lines of the extracted script � � � @ �� Q � % �� & � � ] @ d � $ m m m � � % �� & � �� , � < I) < �? $ � � % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & , % �� & ! , % �� & # , % �� & % , % �� & ' , % �� & ) , % �� & * , % �� & + , % �� & , , % �� & - , % �� & . , = * I @ #/ # I @ #. #% @ % �� & / , % �� & 0 , W D @ C I @ #. # #D #) @ I @ #1 #* @ % �� & 1 , % �� & 2 , % �� & 3 , % �� & 4 , % �� & 5 , % �� & 6 , % �� & 7 , I 6 I @ #< # #$ #- I @ #3 # @ % �� & 8 , % �� & 9 , % �� & : , % �� & ; , % �� & < , % �� & = , % �� & > , O < I! @ #C # # #' #0 I @ #9 #" @ % �� & ? , % �� & @ , % �� & A , % �� & B , % �� & C , % �� & D , > + Z # �: % �: ' �: � B � % �� & E , % �� & F , : ' AJ @ 0 0 : 0 0 : 0 1 @ B �� % �� & G , % �� & H , D 1 Z 3 �Z 6 �Z 8 � B A Q L B � % �� & I , 7 $ # : B �: � B � % �� & J , % �� & K , : ' AJ @ 0 0 : 0 0 : 0 5 @ B �� % �� & L , % �� & M , V C Z �: ! �: $ � : �: �: & � B � % �� & N , % �� & O , % �� & P , % �� & Q , B 6 � � � �� @ +ͪ�@�ل�\ �� VW��F� C`�� N� /��D� �Ϛ��@��[3w� �h�D�pi�= �"� � B��z Z?e�3 S H A - 5 1 2 � B � 0�� 0ffffff�?ffffff�? �? �?333333�?333333�?% �� s1�c�M� +5�1� & �

SHA-256: f629aa61effb57aa6086022643e821a190adc4f664bb83f85bbe99b934f6064b

Preview script

First 1,000 lines of the extracted script

�  �  �   @      ��������    �      Q           �  %      ��                  & �  �     ]       @   d           � $    m               m   m           �  �  %      ��    & �  ����  ,     �  <         I)        <     �?  $	        �  �  %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &   
       ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &           ,                              %      ��    &   !       ,                              %      ��    &   #       ,                              %      ��    &   %       ,                              %      ��    &   '       ,                              %      ��    &   )       ,                              %      ��    &   *       ,                              %      ��    &   +       ,                              %      ��    &   ,       ,                              %      ��    &   -       ,                              %      ��    &   .       ,                 =           *   I   @  #/   #      I   @  #.   #%     @       %      ��    &   /       ,                              %      ��    &   0       ,                 W           D    @  C     I   @  #.   #
    #D    #)     @   I   @  #1   #*     @       %      ��    &   1       ,                              %      ��    &   2       ,                              %      ��    &   3       ,                          	   %      ��    &   4       ,                              %      ��    &   5       ,                          
   %      ��    &   6       ,                              %      ��    &   7       ,                 I           6   I   @  #<   #     #$    #-     I   @  #3   #      @       %      ��    &   8       ,                              %      ��    &   9       ,                              %      ��    &   :       ,                              %      ��    &   ;       ,                              %      ��    &   <       ,                          
   %      ��    &   =       ,                              %      ��    &   >       ,                 O           <   I!  @  #C   #     #     #'    #0     I   @  #9   #"     @       %      ��    &   ?       ,                              %      ��    &   @       ,                              %      ��    &   A       ,                              %      ��    &   B       ,                              %      ��    &   C       ,                              %      ��    &   D       ,                
>           +   Z  #    �:  %    �:  '    �:       �   B �     %      ��    &   E       ,                              %      ��    &   F       ,                
:           '       AJ  @     0 0 : 0 0 : 0 1  @   B ��    %      ��    &   G       ,                              %      ��    &   H       ,                
D           1   Z  3    �Z  6    �Z  8    �   B A Q L      	 B �     %      ��    &   I       ,                 7           $   #       :  B   
�:       �      B �     %      ��    &   J       ,                              %      ��    &   K       ,                
:           '       AJ  @     0 0 : 0 0 : 0 5  @   B ��    %      ��    &   L       ,                              %      ��    &   M       ,                
V           C   Z       �:  !    �:  $    �   :      	�:       �:  &   	�      B	�     %      ��    &   N       ,                              %      ��    &   O       ,                              %      ��    &   P       ,                              %      ��    &   Q       ,                
                B 6     �  � � ��                                                                  @    +ͪ�@�ل�\ ���	VW��F� C`�� �N� /���D�  �Ϛ����@��[3w� �h�D�pi�=    �"�
�	B��z Z?e�3    S H A - 5 1 2 � B                                                                  �  0�� 0ffffff�?ffffff�?      �?      �?333333�?333333�?%      ��  ��s1�c�M� +5�1� & �

Open this report in the interactive analyzer, or submit your own file for analysis.