Office (OOXML) / .XLSX malware analysis — malicious · e310737dbb1c9ef1

MALICIOUS

Office (OOXML) / .XLSX

74.9 KB Created: 2021-10-27 10:31:49 UTC Authoring application: Microsoft Excel 12.0000

MD5: c5fd84bb5c283d3e5bfeb971f7d84bfb SHA-1: ebc276b3eece572ecd441cb1454fe60a26a04885 SHA-256: e310737dbb1c9ef1446f2fd7e3c08a455243314078aeb4b5763d412c940c91e8

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Service Execution: Visual Basic

The critical heuristic firing indicates the presence of an Excel 4.0 macro sheet. The macro commands reconstruct to 'wmic process call create 'C:\ProgramData\excel.rtf'', suggesting the macro's purpose is to execute a second-stage payload from the ProgramData directory. The exact nature of 'excel.rtf' is unknown, but its execution via WMIC points to a downloader or initial execution stage.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `5b4ca2cb2f9b5c4cb0c42269d6c70d0f0746a04f098cc833e96a8d46ebbd582f`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	158494 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.