Office (OOXML) / .XLSX malware analysis — malicious · edaef8c44729b639

MALICIOUS

Office (OOXML) / .XLSX

71.3 KB Created: 2021-10-27 10:31:49 UTC Authoring application: Microsoft Excel 12.0000

MD5: 000088dae65d73bc45159fa6b74812cf SHA-1: a86ce593f49c88732d2a2a57ffb586eb0a4d4627 SHA-256: edaef8c44729b6399eb31bbe3d1c3a9fbceb0407298a7b225fdd589d69278635

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The critical heuristic firing indicates the presence of Excel 4.0 macros within the XLSX file. These macros appear to be designed to execute arbitrary commands, as evidenced by the embedded string that reconstructs to a suspicious path: 'C:\ProgramData\fnsfunSfgRgnKjFsgNd'. This path is likely used to drop or execute a secondary payload. The exact intent of the macro is difficult to fully ascertain due to truncation, but it strongly suggests a downloader or initial execution stage.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `283523211864ce5a0dfa5e2198dc5f01de0d9c2bcf13fe515ca98fbcc44785f0`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	4426 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.