Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 f00f12b0776159a5…

MALICIOUS

Office (OOXML) / .XLSX

535.6 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: e62edae483656d36842142b256560973 SHA-1: 46155b1f39c6baa9c836af953baf752f4b013896 SHA-256: f00f12b0776159a5d6d2b203a7ebf90351c9bd9cfef2b549c95bdf401453387a
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File

The file is an Excel spreadsheet containing Excel 4.0 macros, indicated by multiple critical heuristic firings. These macros utilize dangerous functions like EXEC and CALL, which are known primitives for downloading and executing arbitrary code. The ClamAV detection name 'Xls.Downloader.GreenEnable052-9863734-1' further supports its role as a downloader. No specific URLs were extracted, but the presence of these macros strongly suggests a malicious downloader functionality.

Heuristics 6

  • Excel 4.0 macro sheet (2 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: GOTO, EXEC, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • ClamAV: Xls.Downloader.GreenEnable052-9863734-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.GreenEnable052-9863734-1
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 3 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
ada954ca3ab43ccf2d53a49c00a49596cc1df7d9996e33a7e27ed3a5991eaf01		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1564 bytes
xlm_sheet_01.xml
32ba101215b038461a286de9efc369a50c2d00870a17d552cc1854c8fe12671f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.xml 2326 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.