Office (OOXML) / .XLSX malware analysis — malicious · d6501aab87a4b819

MALICIOUS

Office (OOXML) / .XLSX

26.6 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 14.0300

MD5: 632cecd7857e7ed1521148a032134cd1 SHA-1: f4b22c555afefdc158a06ee839deae1c7ddc1dde SHA-256: d6501aab87a4b819d60e0135befae812fc5b894fee7a00dd11e9fae9b61b4ec3

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications

The sample is an XLSX file containing an embedded Excel 4.0 macro sheet. The heuristics indicate the presence of XLM macros, which are often used for malicious purposes. The macro sheet itself appears to be obfuscated, but the presence of XLM macros strongly suggests an intent to download and execute a second-stage payload, a common attack vector for this type of file.

Heuristics 2

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX

OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `cd42279959768ce5d101b7f63405d41190a7fd5eca5ab26e3ae42ea6b9d46827`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin	1130 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.