GreenOffice — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 e47c159e2c89ba34…

MALICIOUS

Office (OOXML) / .XLSX

124.2 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: a27b4af8036b8f2b39a1324ab51baf20 SHA-1: bfd91d19dd87c9f27488fe65412257cb0feaf971 SHA-256: e47c159e2c89ba345b515bc6f41aba8a22db7b001cf38bdde04af35c8b4933d6
180 Risk Score

Malware Insights

GreenOffice · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature Xls.Downloader.GreenOffice01223-9937701-0. Static analysis reveals the presence of multiple Excel 4.0 macro sheets within the XLSX file. These macros are indicative of a downloader, likely intended to fetch and execute a secondary payload. The specific macro sheet names and the ClamAV signature suggest the GreenOffice malware family.

Heuristics 3

  • Excel 4.0 macro sheet (8 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.
  • ClamAV: Xls.Downloader.GreenOffice01223-9937701-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.GreenOffice01223-9937701-0

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
0fc8e066703330beb0acb963cc90c864ba9d7a35a9857de7f07543eadd5d8ecf		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 484 bytes
xlm_sheet_01.bin
bf6715d9fae02136a7d6693b0ac7c420e37154df417d0c5bc8d8b5a748556dac		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet7.bin 484 bytes
xlm_sheet_02.bin
78c400169fb4fb9a22c987f904afcf0733dcd9b50d30205a6305a30e3e201fd8		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 2679 bytes
xlm_sheet_03.bin
dc492d30ddc2bac398d8b712a2dbbe5e3639e42b759dc41165cdc40f8bbe233d		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet5.bin 484 bytes
xlm_sheet_04.bin
b0f3bfa980b44cd091b93eaa2d90fa38b47a49700d4556c470b3563537690d9d		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 484 bytes
xlm_sheet_05.bin
dec3f15faf62c14843387eba63e2247394d04864293823ccfe6f2e6f8b9e3fd8		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 484 bytes
xlm_sheet_06.bin
94f4f9a5c419e00c67505628fb5f2ad897edf8744c6539288147e8eae078975a		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet6.bin 484 bytes
xlm_sheet_07.bin
46b4bfc3a91f065aa470b2ea9dbad4342ec52708efca6655feb50bef938cbdaa		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.