MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic for Applications
T1059.003 Windows Command Shell
The critical heuristic 'OLE_VBA_ACTIVEX_XLM_CELL_STAGER' indicates that VBA ActiveX events are used to execute XLM formulas decoded from worksheet constants. The VBA script 'macros.bas' confirms this by iterating through constants, decoding them using character code manipulation, and then executing the resulting strings as XLM formulas via a named sheet. This process is designed to download and execute a second-stage payload, although the specific URL or payload is not directly present in the provided script. The script also attempts to close the workbook after execution.
Heuristics 2
-
VBA ActiveX event runs worksheet-decoded XLM formulas critical OLE_VBA_ACTIVEX_XLM_CELL_STAGERVBA code attached to an ActiveX/UserForm event reconstructs formula text from worksheet constants using Split/Replace/Mid or character shifting, then executes it through ExecuteExcel4Macro or Run. This is a high-confidence malware stager that hides XLM formula execution in sheet cells; it is not a document-parser CVE.
-
VBA project inside OOXML medium OOXML_VBADocument contains vbaProject.bin — VBA macros present
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas8e10ea5536973c4a702b510d41cb58c99ef0bd40763c2a630b9956d5991c0c3d |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1370 bytes |
vbaProject_00.bin94ade4f80e060303559538b4d356d31004fa52206eec8dfd29b80a6849a9dbe2 |
vba-project | OOXML VBA project: xl\vbaProject.bin | 13824 bytes |
emf_00.emf76f287b1e3251b7e0e5ba27bfb05b35831150cc665de00f9fd2d807e2d2a028d |
ooxml-emf | OOXML EMF part: xl\media\image1.emf | 1976 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.