Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 f36e021a3c3fc344…

MALICIOUS

Office (OOXML) / .XLSX

57.7 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 33f4f1b390ccb9bafdbd0c232757648b SHA-1: aeeec1c5d8e3b8c0ce626d1e01699d18b4a5c627 SHA-256: f36e021a3c3fc3441db2e9cdde95706ec10f9134929b49bde0b693f30c2ecc14
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is an XLSX document containing hidden Excel 4.0 macros, indicated by the OOXML_XLM_MACROSHEET and OOXML_XLSB_INTL_MACROSHEET_IN_XLSX heuristics. The extracted macro content, though heavily obfuscated, appears to contain a URL that would likely be used to download and execute a second-stage payload. The specific macro commands are not fully discernible due to obfuscation, leading to a moderate confidence level.

Heuristics 2

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLSB international XLM macro sheet hidden in .xlsx critical OOXML_XLSB_INTL_MACROSHEET_IN_XLSX
    OOXML package is named .xlsx but contains XLSB workbook parts and an international Excel 4.0 macro sheet. This hides XLM macro execution from scanners that trust the extension or only inspect XML worksheet parts. The technique is macro execution, not a document-parser CVE.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
2bfddc5b0137b0730940d694c77d1373b4a63180deeb96ed09e796b5e65818f1		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 1770 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.