Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 e9d1338224a412ac…

MALICIOUS

Office (OOXML) / .XLSX

123.8 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: ca411789676bc7da84ff9aee1e13f17c SHA-1: b3ff989c83c76cd0654e8d27f6c5e6c081c1e054 SHA-256: e9d1338224a412acbf0924f81ded63ef9c52d4cc6a1b8dd2094ee39a6a7984bc
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is identified as malicious by ClamAV with the signature Xls.Downloader.GreenOffice01223-9937701-0. Static analysis revealed the presence of multiple Excel 4.0 macro sheets, indicating a macro-based execution flow. These macros are likely responsible for downloading and executing a secondary payload, a common technique for malware delivery.

Heuristics 3

  • Excel 4.0 macro sheet (8 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.
  • ClamAV: Xls.Downloader.GreenOffice01223-9937701-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.GreenOffice01223-9937701-0

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
601e373374d41fdd36dd907ce4e8dc0dc0e62d3cf33bbc6cf8c27500b3b2183f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.bin 428 bytes
xlm_sheet_01.bin
789c86435dced37b9809e0d14afad4ae4bec773ba94488e1a402ea2607098acf		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet7.bin 428 bytes
xlm_sheet_02.bin
75546976956b41175dda83afb5dd2f36972a4c8ee8479a35e3c993561a13e40f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 2080 bytes
xlm_sheet_03.bin
fa2cdb3f36be3e136711bb0f17877a81a3075c3aa1f9577263203e20e17563b6		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.bin 428 bytes
xlm_sheet_04.bin
3a4f7457134bada0037c22b38f7a80bf2ab71f1bea3b2529ecec0ec1f8c4a567		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 428 bytes
xlm_sheet_05.bin
9503a7e1b54a411a5384744a0235d0aa88ebdfcc1d955d8bb046efd02166e80e		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet6.bin 428 bytes
xlm_sheet_06.bin
d467663aa96d2dc4437dcdc2fe587f90ebd44488e841fa9404c0820dcc29eda3		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 428 bytes
xlm_sheet_07.bin
81cd2db898416c2ec8e340d66f358552cf450627a515990768e25ebfeee99983		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet5.bin 428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.