Office (OOXML) / .XLSX malware analysis — malicious · d2fae016a1b5e467

MALICIOUS

Office (OOXML) / .XLSX

83.6 KB Created: 2021-10-27 10:31:49 UTC Authoring application: Microsoft Excel 12.0000

MD5: 0a2a5c8c6d7885b5ee8e5b861b7c960b SHA-1: ff60793b504e88ce2ef5fb4e1e720e90dec7521c SHA-256: d2fae016a1b5e467be0498290bc5d6e60bd2b10df13dbcb72df42a4894bf7de6

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Service Execution: Service Execution

The critical heuristic firing indicates the presence of Excel 4.0 macros. The extracted macro commands reveal an attempt to execute 'mshta' with a specific file path, 'C:\ProgramData\excel.rtf'. This suggests the macro is designed to download and execute a second-stage payload disguised as an RTF file from a remote location. The confidence is high due to the direct evidence of macro execution and payload staging.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `ad56688715e8a1bdab97aa2f24a64d8518470c595edf6254e98f6082f8808ccc`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	79590 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.