MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.005 Visual Basic
T1140 Deobfuscate/Decode Files or Information
The sample is an Excel macro-enabled document (XLSM) containing a Workbook_Open macro, indicating it's designed to execute code upon opening. The document body presents a 'Royal Mail Account Inland Claim Form', a common lure for phishing or scam operations. The presence of hidden worksheets and the SE_CALLBACK_LURE heuristic further support a social engineering attack, likely aiming to trick users into providing sensitive details or making fraudulent claims.
Heuristics 5
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEETExcel workbook contains 3 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basf2e610137105a4ef2bdf03f89e6257998bce0fcd32e2cd10ae128f1484c19aaf |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 20720 bytes |
vbaProject_00.bine0dc20810e6f142697283d2f17b1987c159a44c111dbb7bfdd14007d3dfb8b2c |
vba-project | OOXML VBA project: xl/vbaProject.bin | 476672 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.