Office (OOXML) / .XLSX malware analysis — malicious · d992017c7351fcff

MALICIOUS

Office (OOXML) / .XLSX

66.4 KB Created: 2021-10-27 10:31:49 UTC Authoring application: Microsoft Excel 12.0000

MD5: 8ffacb4b30e1a4ed2061726daf503bad SHA-1: a7eeaf64dfc1964cd32b1072b178f38481729f37 SHA-256: d992017c7351fcff913215a42f37ebddff2563e34f4c7dc04527fc80c3d40d26

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Windows Command Shell T1218.011 System Binary Proxy Execution: Rundll32

The sample is an Excel 4.0 macro sheet, which is a strong indicator of malicious intent. The embedded macro uses 'wmic process call create' to execute a file named 'excel.rtf' located in 'C:\ProgramData\'. This indicates the document is likely a dropper or downloader attempting to execute a second-stage payload. The specific command used suggests an attempt to bypass security controls by leveraging a legitimate system utility.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `2eec98f3512e720ff549b6640f2420bc4d52d2d6707ae7200113a3a7ca2ca5ad`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	59680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.