Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 f1d21cd76db645ac…

MALICIOUS

Office (OOXML) / .XLSX

110.5 KB Created: 2021-09-08 10:16:58 UTC Authoring application: Microsoft Excel 12.0000
MD5: 58453775d0dbe884f907f3b58a117192 SHA-1: d5722c31b6c78fa89959854a0841693b0eb3b1b5 SHA-256: f1d21cd76db645acbeab2c52be8411b3b29b892a905263d7fc3991dabeadea93
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is an Excel spreadsheet containing embedded Excel 4.0 macros. The heuristics indicate the presence of these macros, which are often used to execute arbitrary commands or download additional payloads. No specific URLs or commands were extracted, limiting further analysis of the exact execution chain.

Heuristics 1

  • Excel 4.0 macro sheet (2 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
6218ec10386474a66b378c53580b3ad3ac84218dd12e21320c7fa461848ab05d		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 304 bytes
xlm_sheet_01.bin
859b68799e6e457532addec293f84b74ab2fed260b73df21089d654b14232929		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.bin 926 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.