Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 f9d2714daeaef6a0…

MALICIOUS

Office (OOXML) / .XLSM

196.6 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 2767c21031d89d323c22d2fe6abaa573 SHA-1: 8426338a5f0aafd1d1802f5f532492b54fd31748 SHA-256: f9d2714daeaef6a02764fac0f354d0a2d18cd5f24c16935ab8e4ec01cbeafd78
310 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File T1105 Ingress Tool Transfer

This XLSM file contains multiple Excel 4.0 macro sheets, including an Auto_Open defined name, which is a common technique for executing malicious code upon opening. The macros utilize dangerous formula APIs like FORMULA, GOTO, and HALT, and contain strings such as URLDownloadToFileA and DownloadToFileA, indicating the intent to download and execute a second-stage payload. The presence of hidden worksheets further suggests an attempt to conceal malicious activity.

Heuristics 7

  • Excel 4.0 macro sheet (6 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, GOTO, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS
    Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
  • ClamAV: Xls.Downloader.GreenEnable052-9863734-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.GreenEnable052-9863734-1
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 6 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
e26278d9df62929caddc39c2675d1a93c805965a35896b4c4240468b728373e2		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 1190 bytes
xlm_sheet_01.xml
016b6b2eb925583b560ac181c148d0d9af6e5e0d9ff4bb66474d2f0161995757		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 2846 bytes
xlm_sheet_02.xml
c627eb02b6049ab2ba980fb2219c111f1c6d4332ae6ea02091532d722ca536f0		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml 2238 bytes
xlm_sheet_03.xml
b799fe19146b2d88a059ba2f416e9e108ec4d3802659d338d7b81f2d62a387a0		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml 1463 bytes
xlm_sheet_04.xml
2606388a7d493e2de5e08d5a58acd765f1fb51cd2e623e5a4a8ae97e15cd9950		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet5.xml 1469 bytes
xlm_sheet_05.xml
f4a17b32653b96ae29aa1557978f76395ad96653818e54b0c717a27657960068		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1476 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.