MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample is an Excel file containing Excel 4.0 macros. These macros reconstruct and utilize URLs to download a PNG file and an executable file. The presence of WinAPI strings like URLDownloadToFileA and ShellExecuteA indicates the macros are designed to download and execute a second-stage payload, likely the downloaded .exe file.
Heuristics 4
-
Excel 4.0 macro sheet (1 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
-
Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGSExcel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
-
URL reconstructed from XLM cell array (2 URLs) critical OOXML_XLM_CELL_ARRAY_URLExcel 4.0 macro sheet stages its payload URL across individual numeric cells (one ASCII charcode per cell), inside an embedded HTA that uses VBScript Chr()/&-concat obfuscation, or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF12 record stream of every worksheet and macrosheet part and decoding RK/inline-string/shared-string cells in row-major and column-major order plus FORMULA cell-reference concatenation in token order.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://thezencon.com/omicron/info.png Referenced by macro
- http://geundik.com/clax.exeReferenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.bin |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.bin | 44410 bytes |
SHA-256: 8cd8f3ceda681b22d885b758ae60d1ce459d8406ebf807787b88452f3c728e5f |
|||
Preview scriptFirst 1,000 lines of the extracted script
� � � @ �������� � � � � � � � � @ d � $ � � � � � % �� & � ���� � % �� & � &� E DG � Ao % �� & �
� $� 5 B � % �� & �
q $� � B � � �V@% �� & �
� $ w B � % �� & �
$� / B �
� $� � B � % �� &
� � �O@% �� & � � S@% �� & � Q h�@% �� & � &F A D� ( � Ao % �� & � f S@% �� & � 7 ��@ � �U@% �� & � & n D� � : Ao % �� & � 7 �W@ � �U@% �� & � &� n D
� z Ao % �� & ! �
� $2 . B � % �� & " � l �V@% �� & ' � Њ@% �� & 2 5 � o X�@% �� & 5 5 � g5 % h t t p : / / t h e z e n c o n . c o m / o m i c r o n / i n f o . p n g D� � % �� & 9 5 � | `�@% �� & < 5 � m .@% �� & = 5 � � A@% �� & D = � = 1@ > C@% �� & E = � � @V@% �� & F = �
� $Z � B � % �� & G = � N P@% �� & L = � � M@% �� & M = � &� n D� D � Ao % �� & P ? � � D�@ � p % �� & Q ? � � ? % h t t p : / / t h e z e n c o n . c o m / o m i c r o n / i n f o . p n g � D� � DA � D� � D. D$ � D� DA � D) * D� � D� D � D� t D� o D� � D� � D , D� � D� D � D� 6 D� R D� o D* � D� � D% � D ] D� � B P % �� & R ? � � $@% �� & W ? � &Q M D� � : Ao % �� & Y ? � Y� S h e l l 3 2 5 D� Q D& � D � D W D} � D � D� � B P
� $ � B � % �� & ^ ? � V �T@% �� & _ ? � � �S@% �� & b �
$� � B � % �� & d � � q % �� & g � &G e D� m � Ao % �� & j � A "@% �� & k � &w . D� 1 � Ao � Q@ &� l D� � � Ao % �� & m � X@% �� & o �
C $� B � % �� & r \ � \ P@% �� & v \ � _ �@% �� & w \ �
d $� B � % �� & | \ � &� i Dt
� Ao � `�@
� $� B � % �� & � �
$
j B � % �� & � � � `�@% �� & � ^ I@% �� & � ^ # @% �� & � ^
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.