MALICIOUS
100
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.002 Spearphishing with Malicious Attachment
The file contains both VBA and Excel 4.0 (XLM) macros, with a critical heuristic indicating that VBA ActiveX events trigger worksheet-decoded XLM formulas. The VBA macro attempts to execute a dynamically constructed string via MsgBox, which likely leads to the execution of the XLM macro. The XLM macro appears to be obfuscated and contains numerous numeric values, suggesting it's designed to download and execute a secondary payload.
Heuristics 3
-
VBA ActiveX event runs worksheet-decoded XLM formulas critical OLE_VBA_ACTIVEX_XLM_CELL_STAGERVBA code attached to an ActiveX/UserForm event reconstructs formula text from worksheet constants using Split/Replace/Mid or character shifting, then executes it through ExecuteExcel4Macro or Run. This is a high-confidence malware stager that hides XLM formula execution in sheet cells; it is not a document-parser CVE.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txte4855c55bf3129eb726f9f27bef15b425266722ce8751c8c70b3578c5f2ecc52 |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 50902 bytes |
macros.bas4a71708e274041e7f4b61d5df83028298bc9e092e428acb01e64e07f1b484a5f |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1832 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.