Office (OOXML) / .XLSX malware analysis — malicious · fbd632b530d77292

MALICIOUS

Office (OOXML) / .XLSX

60.6 KB Created: 2021-10-27 10:31:49 UTC Authoring application: Microsoft Excel 12.0000

MD5: 75aabe8096cca0a983d1b9efd8e0a13f SHA-1: 0e794960caadb4c67cd11a9690169116215be424 SHA-256: fbd632b530d77292de0c9d7a69b1e7beb1e30332abe27255f01aa231dad6cabb

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is an Excel spreadsheet containing an embedded Excel 4.0 macro sheet. The macro appears to be designed to execute a command that writes to the file path 'C:\ProgramData\excel.rtf'. This is a common technique for downloading and executing further malicious content. The macro is truncated, limiting a full analysis, but the intent to execute external code is clear.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `65b691cc1889ebd6781db4c1ca66923e63b2ba3fa2c2a1e594b690012dd96216`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	152043 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.