Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 f4b05b9f1b487e87…

MALICIOUS

Office (OOXML) / .XLSX

108.5 KB Created: 2021-08-16 09:36:27 UTC Authoring application: Microsoft Excel 12.0000
MD5: 812da75243c46282b2c7ed01ff6da780 SHA-1: 51a8001081cffd6b413b35cd086caea7f981ef4d SHA-256: f4b05b9f1b487e874fcf8b85fab7ebf5cabf9cad2b327ad4956a0e5c483eb611
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The critical heuristic firing indicates the presence of Excel 4.0 macros. While the macro content is truncated and heavily obfuscated, this technique is commonly used to download and execute second-stage payloads. Without further deobfuscation or network analysis, the specific family and payload remain unknown.

Heuristics 1

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
77a47a8d19b7247319366c4cea7887262af235da69c0b68bb12aae5be40d498e		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 256821 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.