Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 eaf4092fa892c99b…

MALICIOUS

Office (OOXML) / .XLSX

109.6 KB Created: 2021-08-16 09:36:27 UTC Authoring application: Microsoft Excel 12.0000
MD5: e09ca36873a6f19d826d45037fda793b SHA-1: 2f6775b6447a17aa56eabf47617f1934d524fa3a SHA-256: eaf4092fa892c99b4c3f3a843324bd297db4fac6c5a1b775f9a409505b13bfa3
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an Excel file containing Excel 4.0 macros, indicated by the OOXML_XLM_MACROSHEET heuristic. While the macro content is truncated, the presence of Excel 4.0 macros strongly suggests an attempt to execute arbitrary commands upon opening the document. Further analysis of the full macro content would be required to determine the specific payload or command execution.

Heuristics 1

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
986380f15e19d4312e5d2bec8d9f6fc6022f370a51436f2dc2a85a7b59b7644b		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 253714 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.