Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 fa7db1ba880ea88f…

MALICIOUS

Office (OOXML) / .XLSX

71.3 KB Created: 2020-04-23 12:26:24 UTC Authoring application: Microsoft Excel 16.0300
MD5: ad870643e667802c49ee202af0b1e4e3 SHA-1: 0e11694187847b8db3c34a41a05369a07e95a861 SHA-256: fa7db1ba880ea88f009483c7755ba0a90899c3737610ea50216c85850d7a9605
88 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.005 Visual Basic T1204.002 Malicious File

The sample is an Excel workbook containing 25 Excel 4.0 (XLM) macro sheets, a technique commonly used to evade VBA-aware security controls. The document body explicitly instructs the user to 'Enable Editing' and 'Enable Content' to view the content, which is a typical lure to bypass macro security. The presence of XLM macros and the enable content lure strongly suggest a malicious intent, likely to download and execute a second-stage payload.

Heuristics 5

  • Excel 4.0 macro sheet (25 sheet(s)) high OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 25 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3

Extracted artifacts 25

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
c2fca158c6bc078ccfe1146257af2bf105751d4babe914c332f0f17198f78d0f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 133490 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s).
xlm_sheet_01.xml
1d99736e4e854068a3f46673ab098a695dd695bf5cd91b4fc1ed1b18f19ec52f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.xml 38571 bytes
xlm_sheet_02.xml
9f283908395532c95fce977a78397506a38df5c3ae37ba8f4d02a89a27acd002		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.xml 1086 bytes
xlm_sheet_03.xml
f5ea50e73cc18765068487f036df171ffdfe3ddc24caf82cbba8f5fecb5b3893		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.xml 1086 bytes
xlm_sheet_04.xml
956c73045ab059064bfa3bc2a50db053ca35747cd821e58f1383289376a80e98		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet5.xml 1086 bytes
xlm_sheet_05.xml
b856c9721a360e0a8eef4f24c81faf11db89912a5afea108e8299f3ba87793c4		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet6.xml 1086 bytes
xlm_sheet_06.xml
ace910384cddedf175063674ee17c372e50a30cd6a811808c133c489152117aa		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet7.xml 1086 bytes
xlm_sheet_07.xml
0c4c94a2e50e2c4199242ea42da294a32ef669f0c592866ca25c81ca27a2fc2c		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet8.xml 1086 bytes
xlm_sheet_08.xml
31b0654ec7979f95e83df5acafa0ce26f8ffc3a9dc24b80cc1032409a608b195		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet9.xml 1086 bytes
xlm_sheet_09.xml
3f2a1df67de8ad41774ff95c481ec52885dfaffeb1de9bd648b5f021166b5571		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet10.xml 1086 bytes
xlm_sheet_10.xml
4790152469f3c8559808e91f4f2c78984f9936f448e8925b0934972f53905fa5		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet11.xml 1086 bytes
xlm_sheet_11.xml
3b2a5d0a40b1f797950c0bc85f631c9d2e1480333f2ccbb11a2cd6b53a73f697		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet12.xml 1086 bytes
xlm_sheet_12.xml
79c8aa94afcfb7582c2c6fdd5b8d5987fcfce18cc579b126738e0f9de28817a7		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet13.xml 1086 bytes
xlm_sheet_13.xml
19990e15e7933dc2d1f2339629c7b520651da5a4c41c559136c9330733bece03		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet14.xml 1086 bytes
xlm_sheet_14.xml
256b03e95171e43bab187111ef34ccf49c570e6bc9c9234427c600c1cbda452b		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet15.xml 1086 bytes
xlm_sheet_15.xml
9e4454d5d3b176727019f9f46e528d4e991f8abace52a494156bd0b3007501e4		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet16.xml 1086 bytes
xlm_sheet_16.xml
150beb3ca22879263dca9f8b60ab691858f4c2ed68f649c56f7eef486d604cc1		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet20.xml 1086 bytes
xlm_sheet_17.xml
9377896dff83e15ef1b62e950ac93c9a8ee0d0b4d2ebbb7520ffaa1134a2679a		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet21.xml 1086 bytes
xlm_sheet_18.xml
8355c9c33dbfbb6bf95a531f8d9a0136fb0c4f3a66aeca742e443e3d4de3c2e8		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet22.xml 1086 bytes
xlm_sheet_19.xml
c358de6c3b517e3f0bbf87fa718a6dc5504d3cb7c1738ca4bde0dc09defc5568		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet23.xml 1086 bytes
xlm_sheet_20.xml
61f5433ea409554499b3de81ae3fa24eb5f1470aae57b10b16833789a9afa0b1		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet24.xml 1086 bytes
xlm_sheet_21.xml
a938f9835bad68fe6a76ce4d89b3a4fa4d1eedb14a6801a0542dcaab6445fa5e		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet25.xml 1086 bytes
xlm_sheet_22.xml
dd2c52da69f4d8328273af1260c7206760bc42313efec8e275ca784e9bcd88f1		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet17.xml 1086 bytes
xlm_sheet_23.xml
dc05cfd09356beebe8f7bd05db8207f3b2ad79802e3c60f503852164bd52073c		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet19.xml 1086 bytes
xlm_sheet_24.xml
0e045a20985284c6f7917dc7a052801ee60f9999075cb1a55440420651662d4b		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet18.xml 1086 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.