MALICIOUS
208
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Service Execution: Service Control
T1059.001 PowerShell
T1204.002 Malicious File: User Execution: Malicious File
The sample contains Excel 4.0 macros that utilize dangerous functions like FORMULA and CALL to download and execute a payload. The presence of an Auto_Open macro and hidden worksheets further indicates malicious intent. The script's primary function is to download a second-stage payload from one of the provided URLs.
Heuristics 7
-
Excel 4.0 macro sheet (3 sheet(s)) critical OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
-
Dangerous XLM formula APIs: FORMULA, GOTO, HALT, REGISTER, EXEC critical OOXML_XLM_DANGEROUS_FNExcel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
VBA project inside OOXML medium OOXML_VBADocument contains vbaProject.bin — VBA macros present
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEETExcel workbook contains 3 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://190.14.37.252/44313,6048108796.dat
- http://91.211.91.71/44313,6048108796.dat
- http://185.82.218.30/44313,6048108796.dat
- http://190.14.37.252/
- http://185.82.218.30/
- http://91.211.91.71/
- http://schemas.openxmlformats.org/spreadsheetml/2006/main
- http://schemas.microsoft.com/office/excel/2006/main
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
- http://schemas.microsoft.com/office/spreadsheetml/2014/revision
- http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision6
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas125e232ed61153a54047fc42bf831a7a5df16598df76aff16860bf28521d2ade |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2760 bytes |
vbaProject_00.bin590b0126ca8d1e7bd88af1d58b85b0c62ce22d8c6fa543f2326f7f6b9b0e0d64 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 13312 bytes |
xlm_sheet_00.xml6d2c54826d9f8cfbc27ceceafde259a335d4f7ce95274c4c00b5379894a0c3cc |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.xml | 4413 bytes |
xlm_sheet_01.xml9ca9d23ba3a5b04b35f5c4332df1ce68c0463c9fa42327aa2f7cde6c21f3e64c |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet2.xml | 2121 bytes |
xlm_sheet_02.xml5e80fd069ac35c5e39918d8dfaaf0ba77875f57b487bcfcc5d8bc7d346806551 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet3.xml | 1832 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 shell/COM execution token(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.