Office (OOXML) / .XLSX malware analysis — malicious · ec1d1d46013c5301

MALICIOUS

Office (OOXML) / .XLSX

82.5 KB Created: 2021-10-27 10:31:49 UTC Authoring application: Microsoft Excel 12.0000

MD5: af5fdfae0904b9675162641e3a0c8152 SHA-1: d41cda7384ed1bd90ad96447d0e76510282a6e71 SHA-256: ec1d1d46013c5301bd76b7ce83ccae963f2b1ea14ffe9997c6ac7c55d82a148a

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The critical heuristic firing indicates the presence of an Excel 4.0 macro sheet. Analysis of the macro sheet content reveals a path that appears to be an attempt to write a file named 'excel.rtf' to the ProgramData directory. This suggests the macro is designed to download and execute a secondary payload, a common technique for initial access and further system compromise.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `25703dffbd66c324e55c8d94cd9c49669e6316f54bbb05e0dc8ebb19c0bf3c03`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	270633 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.