Office (OOXML) / .XLSX malware analysis — malicious · d2ea171749ab704e

MALICIOUS

Office (OOXML) / .XLSX

67.3 KB Created: 2021-10-27 10:31:49 UTC Authoring application: Microsoft Excel 12.0000

MD5: a2d2d9227e92771ac5c8b64831e1ac6e SHA-1: a84718810f9dbed22a1032a2992b12a4d43be4e9 SHA-256: d2ea171749ab704ead4f43a420900a8cc073d4cc9887fe442892fb19cd074183

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file contains an Excel 4.0 macro sheet. This macro is designed to execute a command-line process using 'wmic process call create'. The command attempts to run 'C:\ProgramData\excel.rtf', suggesting a downloader or initial execution stage for a secondary payload. The exact nature of the payload is not discernible from the provided evidence.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `28e0f1d12b21caef4e5530b475d8b5f907e9c5d5d1272bfc796c48c205637101`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	155073 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.