Office (OOXML) / .XLSX malware analysis — malicious · fb454296cc6afa40

MALICIOUS

Office (OOXML) / .XLSX

114.5 KB Created: 2021-02-03 15:28:44 UTC Authoring application: Microsoft Excel 16.0300

MD5: d7354420d2eb36101c9c68b123f0a6fb SHA-1: 2e32162b4b1ed5e97300c5dff6e21d3c15087d7e SHA-256: fb454296cc6afa402e996db02189647636d10ce20930f8f57810d9175ea50710

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059 Command and Scripting Interpreter

The sample is an OOXML file identified as containing Excel 4.0 macros, which is a critical finding. The macros are also disguised under a non-standard package path. While the specific commands within the macro sheet are truncated and heavily obfuscated, the presence of disguised Excel 4.0 macros strongly suggests an intent to execute arbitrary code, likely for downloading and running a secondary payload. The exact nature of the payload and its delivery mechanism cannot be determined due to the truncated script content.

Heuristics 2

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
Excel 4.0 macro sheet stored under disguised package path critical OOXML_XLM_DISGUISED_RELATIONSHIP

OOXML package declares an xlMacrosheet relationship whose target is outside the canonical xl/macrosheets/ path. Excel follows the relationship type, while path-only scanners can miss the macro execution surface.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `3fd2c5ac9f1339b006d4b8558a66e92632e93690860205c61803635b864cb6a6`	xlm-macrosheet	OOXML XLM macro sheet: xl/xls/sheet1.bin	1007414 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.