MALICIOUS
178
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.003 Windows Command Shell
The XLSM file contains VBA macros that utilize the Shell() function and CreateObject, indicating an intent to execute arbitrary commands. The presence of cmd.exe references further supports this. The macro code appears to be designed to download and execute a secondary payload from the embedded URL, although the specific execution flow is truncated. The primary IOC is the external URL used for potential payload delivery.
Heuristics 7
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBA
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
-
External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKSDocument contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: https://cbtadmin-host.bimasoft.web.id/419/
-
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEETExcel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://cbtadmin-host.bimasoft.web.id/419/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas0735026387260f4fd4beb5f75f0098f20c5b8480b7ed0d697474ee150a6caa77 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 24647 bytes |
vbaProject_00.bina64a8da9f6902ff8de12b29cd5a696c6bbb2301baa64b691ab6a7de40abeb77a |
vba-project | OOXML VBA project: xl/vbaProject.bin | 100352 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.