Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 d36bbd02b90a87cf…

MALICIOUS

Office (OOXML) / .XLSM

153.5 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 570d5387a56bce79c6e54179bb87f6b4 SHA-1: 6632b7dbd4103fa2d976b9e2a57d21bbaba63cd6 SHA-256: d36bbd02b90a87cfa9c028cf43690395e2c2a554941309af7f2d0cfc59d18d67
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The file is an XLSM document containing Excel 4.0 macros, which are known to be used for malicious purposes. The macros utilize dangerous formula APIs like FORMULA.FILL and FORMULA to download a DLL from the reconstructed URL "http://cari.bbeanluxuryresort.com/wp-admin/3.dll" and save it as "C:\Datop\vima.ocx". This indicates a downloader functionality, aiming to fetch and execute a second-stage payload.

Heuristics 6

  • Excel 4.0 macro sheet (9 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA.FILL, FORMULA critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • ClamAV: Xls.Downloader.GreenOffice02221-9938904-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.GreenOffice02221-9938904-0
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 12 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
dd67eb538715a00b2e93065c4d323605ad930e472c8b91844a402c4e23b60409		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 1346 bytes
xlm_sheet_01.xml
03bc2343445c3ac140f080a44f910ef8c73e2e4e15dd2c0b03ff30df719bba6a		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 2900 bytes
xlm_sheet_02.xml
e7b23dbb2e7b6aba3eca21d94728a4fc02006b4256eba3d080d4aebd86292246		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1417 bytes
xlm_sheet_03.xml
d36c7427a82a1110bc89c52917b3f4ca773def2f7bc8cd798a60772b126db324		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.xml 1415 bytes
xlm_sheet_04.xml
dc7796abe0fe08c483ab5c72669d344c10ac31ef7bbd05196f65708365adb679		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.xml 1417 bytes
xlm_sheet_05.xml
fcc4c31fbdc71bbc2ee85023800d751d96d3911d5b3d97f49cb82b70effc8db8		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.xml 1414 bytes
xlm_sheet_06.xml
91f457d28b6be863946aaa078d23a2e0bb458c16f7d026c93da8be6dd58402ba		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet5.xml 1413 bytes
xlm_sheet_07.xml
c90506c3d91043abb68d7501520ab9a4381ca45a06c936ff289efcec3c9c337b		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet6.xml 1324 bytes
xlm_sheet_08.xml
37a5582b78c6265eecec3978b2636c25f78bb973fdd3e3e161f6da96bc97b692		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet7.xml 1249 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.