MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The file contains an encrypted Excel 4.0 macro sheet and VBA macros. The VBA script explicitly uses the URLDownloadToFile API to download a payload from a URL constructed by concatenating "http://" with a value from the "Files" sheet, Range("B60"). This indicates a downloader functionality, aiming to fetch and execute a second-stage malicious file. The specific URL is not fully reconstructible due to reliance on sheet data, but the download mechanism is clear.
Heuristics 5
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBA
-
Encrypted Excel 4.0 macro sheet high OLE_XLM_ENCRYPTED_MACROSHEETWorkbook contains an Excel 4.0 macro sheet and BIFF FILEPASS encryption. Password-protected XLM macro sheets, especially the default Excel password path, are a common malware evasion pattern because static formula extraction may fail until the workbook is decrypted.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas0f1242a109be856c87ce725152fafb71b7f7fac0bbc68a186108f82d0b1a5db8 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1728 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.