Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 d836a4c61aec0934…

MALICIOUS

Office (OOXML) / .XLSX

124.2 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 561b4b505cebc6225c75409c2b8bef54 SHA-1: 8782a9c7d7c96371db562cafda9a327e589235c0 SHA-256: d836a4c61aec09343914b4cd215b67fe259acfcfcfac2b0a477ad5d610cdc448
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an Excel file containing multiple Excel 4.0 macro sheets, as indicated by the OOXML_XLM_MACROSHEET and OOXML_XLSB_INTL_MACROSHEET_IN_XLSX heuristics. The ClamAV detection name 'Xls.Downloader.GreenOffice01223-9937701-0' strongly suggests that these macros are designed to download and execute a secondary payload. No specific URLs or commands were directly extractable from the truncated script content, but the overall pattern points to a downloader.

Heuristics 3

  • Excel 4.0 macro sheet (8 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.
  • ClamAV: Xls.Downloader.GreenOffice01223-9937701-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.GreenOffice01223-9937701-0

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
0fc8e066703330beb0acb963cc90c864ba9d7a35a9857de7f07543eadd5d8ecf		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 484 bytes
xlm_sheet_01.bin
bf6715d9fae02136a7d6693b0ac7c420e37154df417d0c5bc8d8b5a748556dac		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet7.bin 484 bytes
xlm_sheet_02.bin
78c400169fb4fb9a22c987f904afcf0733dcd9b50d30205a6305a30e3e201fd8		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 2679 bytes
xlm_sheet_03.bin
dc492d30ddc2bac398d8b712a2dbbe5e3639e42b759dc41165cdc40f8bbe233d		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet5.bin 484 bytes
xlm_sheet_04.bin
b0f3bfa980b44cd091b93eaa2d90fa38b47a49700d4556c470b3563537690d9d		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 484 bytes
xlm_sheet_05.bin
dec3f15faf62c14843387eba63e2247394d04864293823ccfe6f2e6f8b9e3fd8		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 484 bytes
xlm_sheet_06.bin
94f4f9a5c419e00c67505628fb5f2ad897edf8744c6539288147e8eae078975a		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet6.bin 484 bytes
xlm_sheet_07.bin
46b4bfc3a91f065aa470b2ea9dbad4342ec52708efca6655feb50bef938cbdaa		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.