Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 defb45f39a49d579…

MALICIOUS

Office (OOXML) / .XLSX

63.0 KB Created: 2021-10-27 10:31:49 UTC Authoring application: Microsoft Excel 12.0000
MD5: 32cf28db14032003866f66e7d7af29a8 SHA-1: 12083f3f5c5e28b5949b74cd09fcb6ed269b0772 SHA-256: defb45f39a49d579947f0f7a8c3f4eef1bdd4c77947a4e7e48ab66ccf279e9bd
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The critical heuristic 'OOXML_XLM_MACROSHEET' indicates the presence of Excel 4.0 macros. The extracted script content, though truncated, shows commands that appear to construct paths and execute arbitrary code, suggesting a downloader or initial execution stage. Specifically, it attempts to write to 'C:\ProgramData\fnsfunsgfgrgnkjfsgnd' and 'C:\ProgramData\fnsfunsgfgrgnkjfsgnd\rtf', which are likely staging locations for further malicious activity.

Heuristics 1

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
a2778f8e0edae58e696767a5bd4ada31f82bf98b2577ba4a0aba38d51394327d		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 4018 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.