Office (OOXML) / .XLSX malware analysis — malicious · f060b5e343387531

MALICIOUS

Office (OOXML) / .XLSX

113.6 KB Created: 2021-03-05 04:08:28 UTC Authoring application: Microsoft Excel 16.0300

MD5: be923995af11a44b9cb659eeda63c6e5 SHA-1: 5a4ecc91d99273bb23ff73f907ecacfb23130746 SHA-256: f060b5e3433875310f373cdde41391fe16ff9a280d9f4e27c88a4ca4fc77fd74

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is an Excel file containing Excel 4.0 macros, as indicated by the 'OOXML_XLM_MACROSHEET' heuristic. The ClamAV detection 'Doc.Downloader.Trojan' strongly suggests a downloader functionality. The embedded macro content is heavily obfuscated and truncated, preventing a detailed analysis of its specific actions or the reconstruction of any URLs or commands. Therefore, the exact payload and delivery mechanism cannot be determined, but the intent is clearly to download and execute further malicious code.

Heuristics 2

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
ClamAV: Doc.Downloader.Trojan-bf70f023603538ee-bf70f023603538ee-9950269-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Trojan-bf70f023603538ee-bf70f023603538ee-9950269-0

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `29b8c6c42ca1c59796609e49ac5f2e522fb6fdd8124437e0d612373b2df11b33`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	10168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.