Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 e85ed8154f832611…

MALICIOUS

Office (OOXML) / .XLSX

125.1 KB Created: 2021-09-14 17:09:08 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-09-23
MD5: ff63e904c472203ce39846b9c08fcbd2 SHA-1: 25c0825a8881ddf2f1333309868121ea9735658d SHA-256: e85ed8154f832611a895d3bc6a8c647777b4ad3ba81c41f526770b68bd4d8eba
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an Excel file identified as containing Excel 4.0 macros. The critical heuristic firing indicates the presence of an XLM macro sheet, which is often used to download and execute malicious payloads. The external relationship firing further suggests the macro attempts to interact with external resources. No specific family could be identified, but the technique is consistent with macro-based malware delivery.

Heuristics 2

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in xl/pivotCache/_rels/pivotCacheDefinition1.bin.rels: 2.xlsb

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
1154d75d153a7dc902a5f4a782e4b8136465a5ee935a6e7d3e106feaafd81e71		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 4811 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.