Office (OOXML) / .XLSX malware analysis — malicious · e8b85e89495f9bf9

MALICIOUS

Office (OOXML) / .XLSX

345.3 KB Created: 2021-08-16 09:36:27 UTC Authoring application: Microsoft Excel 12.0000

MD5: f76b416ff446c5a252b3c82e7bb3a181 SHA-1: 75fb5fa0c5e84187ed024e90b6148557cc9dd2f2 SHA-256: e8b85e89495f9bf9f9b1ac4cd123155375972772a0fc899c584c226525ecfb5c

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The critical heuristic firing indicates the presence of Excel 4.0 macros within an OOXML file. While the macro content is truncated and heavily obfuscated, the presence of these macros strongly suggests an attempt to execute arbitrary code. The specific intent of the macros cannot be determined due to truncation, but the technique is commonly used for initial access or payload delivery.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `5c8165d4e487d3cd03b44d92afe75610e91b5985d9e3d585aed7f73a740c62e0`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	258960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.