MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is an Excel document containing Excel 4.0 macros, indicated by the 'OOXML_XLM_MACROSHEET' and 'OOXML_XLM_DANGEROUS_FN' heuristics. The document body contains a lure to 'Enable Editing' and 'Enable Content' to view protected content. The macros utilize dangerous functions like CALL and RUN, suggesting an intent to download and execute a second-stage payload. The presence of these functions and the lure strongly indicate a malicious document designed for initial access via spearphishing.
Heuristics 6
-
Excel 4.0 macro sheet (1 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
-
Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAMEWorkbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
-
Dangerous XLM formula APIs: RUN, CALL, HALT, RETURN critical OOXML_XLM_DANGEROUS_FNExcel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEETExcel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/spreadsheetml/2006/main In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2014/revisionIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2015/revision2In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision3In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision6In document text (OOXML body / shared strings)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.xml |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.xml | 182318 bytes |
SHA-256: d57e89fa574e775dfcabe6401d78a3c6eb99d112b0bd40407cfa394b68d6479f |
|||
Preview scriptFirst 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{00000000-0001-0000-0000-000000000000}"><dimension ref="A65:IO59973"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><sheetData><row r="65" spans="65:65" x14ac:dyDescent="0.25"><c r="BM65"><v>57508</v></c></row><row r="66" spans="65:65" x14ac:dyDescent="0.25"><c r="BM66"><v>203</v></c></row><row r="106" spans="178:178" x14ac:dyDescent="0.25"><c r="FV106" t="s"><v>30</v></c></row><row r="128" spans="122:122" x14ac:dyDescent="0.25"><c r="DR128" t="s"><v>50</v></c></row><row r="192" spans="116:116" x14ac:dyDescent="0.25"><c r="DL192" t="b"><f>CLOSE.ALL()</f><v>0</v></c></row><row r="234" spans="62:62" x14ac:dyDescent="0.25"><c r="BJ234" t="b"><f>CANCEL.KEY(TRUE)</f><v>0</v></c></row><row r="292" spans="64:64" x14ac:dyDescent="0.25"><c r="BL292" t="b"><f>ALERT(YuTLHTkyUIRojNPvQVdTyIIHLipwbnnDHKC)</f><v>0</v></c></row><row r="347" spans="46:46" x14ac:dyDescent="0.25"><c r="AT347" t="s"><v>28</v></c></row><row r="419" spans="238:238" x14ac:dyDescent="0.25"><c r="ID419" t="b"><f>BRING.TO.FRONT()</f><v>0</v></c></row><row r="506" spans="118:118" x14ac:dyDescent="0.25"><c r="DN506" t="s"><v>32</v></c></row><row r="539" spans="216:216" x14ac:dyDescent="0.25"><c r="HH539" t="b"><f>CANCEL.KEY(TRUE)</f><v>0</v></c></row><row r="652" spans="75:75" x14ac:dyDescent="0.25"><c r="BW652" t="s"><v>29</v></c></row><row r="730" spans="48:48" x14ac:dyDescent="0.25"><c r="AV730" t="b"><f>ALERT(ir)</f><v>0</v></c></row><row r="741" spans="86:86" x14ac:dyDescent="0.25"><c r="CH741" t="b"><f>CLOSE.ALL()</f><v>0</v></c></row><row r="800" spans="177:177" x14ac:dyDescent="0.25"><c r="FU800" t="b"><f>APP.TITLE(yoUddchSLSw)</f><v>0</v></c></row><row r="838" spans="32:32" x14ac:dyDescent="0.25"><c r="AF838" t="b"><f>ALERT(QFCvOLhRciepHIdfoMsWmTZsBpVRRPUGyGkLw)</f><v>0</v></c></row><row r="860" spans="35:35" x14ac:dyDescent="0.25"><c r="AI860" t="b"><f>APP.TITLE(lZiHCegNhmukQZZYdzHOsGFVYbTr)</f><v>0</v></c></row><row r="929" spans="61:61" x14ac:dyDescent="0.25"><c r="BI929" t="b"><f>APP.TITLE(RjVZymkewtQmLRNYb)</f><v>0</v></c></row><row r="968" spans="81:146" x14ac:dyDescent="0.25"><c r="DY968" t="s"><v>31</v></c></row><row r="969" spans="81:146" x14ac:dyDescent="0.25"><c r="EP969" t="b"><f>CANCEL.KEY(TRUE)</f><v>0</v></c></row><row r="972" spans="81:146" x14ac:dyDescent="0.25"><c r="CC972" t="b"><f>CLOSE.ALL()</f><v>0</v></c></row><row r="1003" spans="88:88" x14ac:dyDescent="0.25"><c r="CJ1003" t="b"><f>BRING.TO.FRONT()</f><v>0</v></c></row><row r="1075" spans="49:49" x14ac:dyDescent="0.25"><c r="AW1075" t="b"><f>BRING.TO.FRONT()</f><v>0</v></c></row><row r="1122" spans="41:245" x14ac:dyDescent="0.25"><c r="IK1122" t="b"><f>APP.TITLE(UuGzSPlIgYUgwMhVeCwacJdiq)</f><v>0</v></c></row><row r="1132" spans="41:245" x14ac:dyDescent="0.25"><c r="AO1132" t="b"><f>ASSIGN.TO.OBJECT(wYrXvNZOLFXUqa)</f><v>0</v></c></row><row r="1139" spans="143:143" x14ac:dyDescent="0.25"><c r="EM1139" t="b"><f>APP.TITLE(KmqFPkxkXyVT)</f><v>0</v></c></row><row r="1157" spans="245:245" x14ac:dyDescent="0.25"><c r="IK1157" t="s"><v>22</v></c></row><row r="1242" spans="239:239" x14ac:dyDescent="0.25"><c r="IE1242" t="s"><v>17</v></c></row><row r="1309" spans="107:107" x14ac:dyDescent="0.25"><c r="DC1309" t="b"><f>ALERT(yNJrFefGPbDXCasSsExQy
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.