Office (OOXML) / .XLSX malware analysis — malicious · f9e9300992a934b5

MALICIOUS

Office (OOXML) / .XLSX

74.8 KB Created: 2021-03-14 20:07:08 UTC Authoring application: Microsoft Excel 16.0300

MD5: 4ce66b772dc6f8c4de59f8ebf6cae765 SHA-1: a5deb92e214d8c21b159d9a9682ade54a0172766 SHA-256: f9e9300992a934b5c46671bfd308552b4c565427eb7c9f744be2f8631d038597

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The critical heuristic firing indicates the presence of Excel 4.0 macros within an OOXML file. While the macro content is truncated and obfuscated, the presence of such macros strongly suggests a malicious intent, likely to download and execute a secondary payload. The file's structure and the heuristic firing are sufficient to classify it as malicious, but the exact payload and delivery mechanism cannot be determined with high confidence due to the truncated script.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `f42b99f980048828f35f257c1a9803b6fb8cffad4abcb712ecf7dc8a682ba589`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	92580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.