Office (OOXML) / .XLSX malware analysis — malicious · e81156f57f5ebca5

MALICIOUS

Office (OOXML) / .XLSX

113.8 KB Created: 2021-03-29 19:55:06 UTC Authoring application: Microsoft Excel 16.0300

MD5: 6d28273804516bb7a35932130e3e3a42 SHA-1: 52e8ca78007e145ed842a163a3aa8c883b77cc09 SHA-256: e81156f57f5ebca539d5f5bcd952535d26e6cd4cbbd7849c09088d3e8913827f

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is an Excel file containing Excel 4.0 macros, indicated by the OOXML_XLM_MACROSHEET heuristic. The macro sheet appears to be truncated, but the presence of such macros strongly suggests an intent to execute arbitrary code. The primary function is likely to download and execute a second-stage payload, although the specific URL or command is not fully extractable due to truncation.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `0d7587152bc0f528e5a96e63bf55d518f873054a6c56d73970556b76fed247db`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	94808 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.