Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 d3c3e8da2a5605e8…

MALICIOUS

Office (OOXML) / .XLSM

196.6 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 90213af289c94acae0f36fb613155187 SHA-1: 826b63a30a1c44ce6ecabab17c64673573088970 SHA-256: d3c3e8da2a5605e86cad1417a6b7a7082307f7a30a6dcd67198fbe6e3ee5b7d0
310 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File T1105 Ingress Tool Transfer

This XLSM file contains multiple Excel 4.0 macro sheets, including an Auto_Open defined name, which is a common technique for executing malicious code upon opening. The macros utilize dangerous functions like FORMULA, GOTO, and HALT, and contain strings indicative of downloading payloads, such as URLDownloadToFileA. The presence of these elements strongly suggests the file's purpose is to act as a downloader for further malicious content.

Heuristics 7

  • Excel 4.0 macro sheet (6 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, GOTO, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS
    Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
  • ClamAV: Xls.Downloader.GreenEnable052-9863734-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.GreenEnable052-9863734-1
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 6 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
e26278d9df62929caddc39c2675d1a93c805965a35896b4c4240468b728373e2		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 1190 bytes
xlm_sheet_01.xml
85cb94d48260153a0ba0b5da6631a2f799f1f676cd2e43ed253df604061d25fd		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 2848 bytes
xlm_sheet_02.xml
c627eb02b6049ab2ba980fb2219c111f1c6d4332ae6ea02091532d722ca536f0		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 2238 bytes
xlm_sheet_03.xml
b799fe19146b2d88a059ba2f416e9e108ec4d3802659d338d7b81f2d62a387a0		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 1463 bytes
xlm_sheet_04.xml
2606388a7d493e2de5e08d5a58acd765f1fb51cd2e623e5a4a8ae97e15cd9950		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml 1469 bytes
xlm_sheet_05.xml
f4a17b32653b96ae29aa1557978f76395ad96653818e54b0c717a27657960068		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1476 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.