Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 ced40d5b4e751ac4…

MALICIOUS

Office (OOXML) / .XLSM

183.4 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 904379dc152639dee8df059fe44c9402 SHA-1: 2b2c88e65112bf5e1dcc3cab1f2a93f7306cd83a SHA-256: ced40d5b4e751ac482d204e387d70dda916657ebe753c4e4c3c589d162b71f9e
310 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 Command and Scripting Interpreter T1071.001 Application Layer Command and Scripting T1566.001 Phishing T1071.002 Application Layer Targeting

The file exhibits several strong indicators of malicious activity. The presence of Excel 4.0 XLM macro sheets, combined with the use of dangerous formula APIs like `=CALL`, `=EXEC`, `=REGISTER`, and `=FORMULA` to directly invoke WinAPI functions (URLDownloadToFileA, ShellExecuteA, CreateDirectoryA) strongly suggests a downloader attempting to bypass traditional VBA-based detection. The hidden sheets and the embedded URLs further support this assessment. The file is likely designed to exploit vulnerabilities in older versions of Excel that lack robust XLM protection.

Heuristics 7

  • Excel 4.0 macro sheet (10 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, GOTO, REGISTER, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS
    Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
  • ClamAV: Xls.Downloader.GreenEnable06210-9869360-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.GreenEnable06210-9869360-0
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 10 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
1e56e1f2eede302543e5df8b9ebfaea744b26d28977f1390ea971f4b360a26ef		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 3222 bytes
xlm_sheet_01.xml
9f05fa9be829be1eefeb660a152567edb54f7c357d0db2659790a946134ef9bd		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 1785 bytes
xlm_sheet_02.xml
405845b1631a0aa71b486f4418949d96bde2110bb9f06addaf0fcd75e88528c3		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 2657 bytes
xlm_sheet_03.xml
43e6f6f4ebc87c4132b97fece91322592028938542550327d7113eb1c83010e5		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 1849 bytes
xlm_sheet_04.xml
49dcda5b792610c41de404d2b70cfc974135ab65a439e8c738a1c9da0fcb9f77		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml 1771 bytes
xlm_sheet_05.xml
d36f154dba963b8e1b114a8eb7856a7559b20af161115ec9858bc4527e63792f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet6.xml 1559 bytes
xlm_sheet_06.xml
84c260af46eecb368a56b6975dc52f2fe5cc18e2695b57472a4ec15bdec2c065		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet7.xml 1586 bytes
xlm_sheet_07.xml
ad7ce2861628a67d038db82c6e0c4f96565fd87f489a044f5b06b21d72a592e1		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet8.xml 1589 bytes
xlm_sheet_08.xml
b58afdef5f0f3f74593fd083f85481e37c174bf42505739468eec6cc33659cb4		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet9.xml 1582 bytes
xlm_sheet_09.xml
78202619198b2160503b5dd1d62f26d794ff5905704afedefc7df1582494d5b5		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1630 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.