Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 f9e3e2a6d98c149b…

MALICIOUS

Office (OOXML) / .XLSX

215.7 KB Created: 2021-10-14 17:24:36 UTC Authoring application: Microsoft Excel 12.0000
MD5: 57b5d53ef4361aabce61c65ce6de38fd SHA-1: 8526bc1fcf56dd63e15136b3bd4b1b6ddb0c7985 SHA-256: f9e3e2a6d98c149b91ae433df80d949915e86cf0a6741b24acdce491329fb09f
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an Excel file containing Excel 4.0 macros, indicated by the 'OOXML_XLM_MACROSHEET' heuristic. The embedded macro sheet 'xlm_sheet_00.bin' is the primary artifact. While the macro content is truncated, the presence of Excel 4.0 macros strongly suggests an attempt to execute arbitrary commands, a common technique for initial access or downloading further payloads. No specific family could be identified.

Heuristics 2

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/exif/1.0/
    • http://ns.adobe.com/tiff/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
1a501e223f207dd16eb8bc890f40c419c21c7854d40d3286a633022b8d2da79c		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 374848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.