MALICIOUS
100
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic for Applications
T1059.001 PowerShell
The critical heuristic OLE_VBA_ACTIVEX_XLM_CELL_STAGER indicates that VBA code is used to execute obfuscated XLM formulas. The VBA macro 'documentoformato' reconstructs and executes XLM formulas, and the 'enel_Layout' subroutine triggers this process. The reconstructed XLM formula likely serves as a stager to download and execute a secondary payload, although the specific URL or execution command is not directly extractable from the provided evidence. The presence of both VBA and XLM macros points to a complex execution chain.
Heuristics 3
-
VBA ActiveX event runs worksheet-decoded XLM formulas critical OLE_VBA_ACTIVEX_XLM_CELL_STAGERVBA code attached to an ActiveX/UserForm event reconstructs formula text from worksheet constants using Split/Replace/Mid or character shifting, then executes it through ExecuteExcel4Macro or Run. This is a high-confidence malware stager that hides XLM formula execution in sheet cells; it is not a document-parser CVE.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt18fb921acb44c0adeab3c6e768f9b1946c5372600eef0bc1350939fe5bcd3fd0 |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 458 bytes |
macros.bas5dd215fa73876d143c49f14bb905c325ce4aa0aa60dc061e6af5fce461854156 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1450 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.