Office (OOXML) / .XLSX malware analysis — malicious · fa8f8414db17b5c7

MALICIOUS

Office (OOXML) / .XLSX

86.2 KB Created: 2021-10-27 10:31:49 UTC Authoring application: Microsoft Excel 12.0000

MD5: 4da5e5b8b5acdb74b3e09db50e2384b7 SHA-1: eb6dd6ba1ec05398d058c976baff8f0ef1638f86 SHA-256: fa8f8414db17b5c7847499e1e5474ddfee9ced8840e8b25d3c4e00b6be429a54

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file contains an Excel 4.0 macro sheet, which is a strong indicator of malicious intent. The macro appears to be attempting to write a file named 'excel.rtf' to the 'C:\ProgramData\' directory, likely as part of a payload delivery or execution chain. Due to the obfuscated nature of the macro content, the exact execution flow cannot be fully determined, but the presence of the macro sheet and the file path strongly suggest a downloader or dropper functionality.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `7575941f733a4b7f6a03e44c0ec115c1a79bda5d23c78a06a2afbc8c0e101db3`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	301194 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.