Xls.Downloader.GreenOffice01223-9937701-0 — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 e033fff31440a1d1…

MALICIOUS

Office (OOXML) / .XLSX

123.9 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-07-26
MD5: c55c526d009881fc505db4c93f510e3c SHA-1: a0e14096d8a3f524fffaee4ed9e309518a28ce9c SHA-256: e033fff31440a1d1e5acefec9881f5f26f26ee16e2a2cb4aa277ab48ce4a425c
120 Risk Score

Malware Insights

Xls.Downloader.GreenOffice01223-9937701-0 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic for Applications

The file is identified as malicious by ClamAV with the signature Xls.Downloader.GreenOffice01223-9937701-0. Static analysis revealed the presence of multiple Excel 4.0 macro sheets, indicating a macro-based downloader. These macros are likely responsible for fetching and executing a secondary payload, although the exact download URL or execution commands are not directly visible in the provided script excerpts.

Heuristics 2

  • Excel 4.0 macro sheet (8 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • ClamAV: Xls.Downloader.GreenOffice01223-9937701-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.GreenOffice01223-9937701-0

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
383359c43fb33daa3b743512009d5860cc8122eac13928285f5d4bff633c13da		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 428 bytes
xlm_sheet_01.bin
5faf1d7164212f3e1219a0b0e5692a3102a228c85bde2895ed147155015999c0		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet7.bin 428 bytes
xlm_sheet_02.bin
14048fdafc327dacb76a5e0f08d49df09c7fefbb4ce732982b635fd326c52224		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 2080 bytes
xlm_sheet_03.bin
f72658d4c5eb121ee5d44aeeb137e864933b391fdaf1d9ca11ad8e9af8b0f8e7		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 428 bytes
xlm_sheet_04.bin
f441503c2edd33d27f834b688da4c440a2351b0c2a248b1165852f39859f71d0		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 428 bytes
xlm_sheet_05.bin
2c4fa2d742f062957884a6ef0a34bcf7d05f738bdabe93c41418e08773609219		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet6.bin 428 bytes
xlm_sheet_06.bin
9eb036057be8c0ad73cf9900fc3c2b115a8ae9d6243beaf2df1c5f3b843ecd93		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 428 bytes
xlm_sheet_07.bin
09a9e8fbc535f937b713c6e0be954cae231f0ef8d7e9c5d4fb63d680fa63bd76		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet5.bin 428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.