MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic for Applications
T1059.003 Windows Command Shell
The critical heuristic 'OLE_VBA_ACTIVEX_XLM_CELL_STAGER' indicates that the VBA code within this XLSM file is designed to decode and execute XLM formulas. The VBA script itself contains functions for string manipulation and execution, suggesting it's part of a stager mechanism. The presence of VBA macros and the specific heuristic strongly suggest a macro-based attack pattern aimed at initial execution of malicious code.
Heuristics 2
-
VBA ActiveX event runs worksheet-decoded XLM formulas critical OLE_VBA_ACTIVEX_XLM_CELL_STAGERVBA code attached to an ActiveX/UserForm event reconstructs formula text from worksheet constants using Split/Replace/Mid or character shifting, then executes it through ExecuteExcel4Macro or Run. This is a high-confidence malware stager that hides XLM formula execution in sheet cells; it is not a document-parser CVE.
-
VBA project inside OOXML medium OOXML_VBADocument contains vbaProject.bin — VBA macros present
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basc3b4bf1fe28a9f229ad3a6d53c3d8b37fea9b269bd453ff2e27abce0c023dc7f |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2056 bytes |
vbaProject_00.binef7170d69d9b7199e830afe6fb913ce41d0b439a2ae06bd613832d1c03a1faf4 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 18944 bytes |
emf_00.emf8357e7f07f41a1e53a6ef35edda5f8d6ef14c676e025cb302cff4e47f3ae55a8 |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 2024 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.