MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file contains Excel 4.0 macro sheets, identified as critical heuristics. These macros are designed to reassemble a payload from split formulas, indicated by the 'OOXML_XLM_REASSEMBLED_PAYLOAD' firing. The primary function of these macros appears to be downloading and executing a second-stage payload from a URL, which is partially extracted as 'https://'. Further analysis of the macro content is limited due to truncation.
Heuristics 2
-
Excel 4.0 macro sheet (3 sheet(s)) critical 1 related finding OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
-
XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOADAn Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.bin |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin | 5899 bytes |
SHA-256: 3840a85fef597b4c1048e2293e9868c092cb71817ca6a48c70e385c15f054825 |
|||
Preview scriptFirst 1,000 lines of the extracted script
� � � @ �������� � � F � % �� & � � @ d � $ � � % �� & � � , � < 8 � < 9 9 � < : B � < C �? � � � % �� & , : C : < = > ? @ B % �� & , : C : < = > ? @ B % �� & , : C : < = > ? @ B % �� & , : C : < = > ? @ A B C % �� & , : C : < =
> ? @ A B C % �� & , : F : < = > ? @ A B C D E F % �� & ! , : F :
< = > ? A B C D E F % �� & " , : F : < = > ? @ A B C D E F % �� & # , : F : < = > ? @ A B C D E F % �� & $ , : F : = > ? @ A B C D E F % �� & % , : F : = > ? @ A B C D E F % �� & & , : F : = > ? @ A B C D E F % �� & ' , : F > ? @ A B C D E F % �� & ( , : F =
A FB L . L d e c v s b g v r s x L x r g x g B s C D E F % �� & ) , : F : = A B C D E F % �� & * , : F : = A B C D E F % �� & + , : F : = A B C D E F % �� & , , : F = A B C D E F % �� & - , : F A B C D E F % �� & . , : F A B C D E F % �� & / , : F A B C D E F % �� & 0 , 5 F A B C D E F % �� & 1 , 5 F 5 A B C D E F % �� & 2 , 5 F A B C D E F % �� & 3 , 5 F A B C D E F % �� & 4 , 5 F A B C D E F % �� & 5 , 5 F A B C D E F % �� & 6 , 5 F A B C D E F % �� & 7 , 5 F B % �� & 8 , 5 F B % �� & 9 , 5 F B % �� & ; ,
... (truncated)
|
|||
xlm_sheet_01.bin |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin | 1178 bytes |
SHA-256: e0ac2db23886cbd6e5c6d4571b4aed592c3b65d78fbc1c6914e8f5b1458839fe |
|||
Preview scriptFirst 1,000 lines of the extracted script
� � � @ �������� � & 4 � % �� & � � @ d � $ � � % �� & � � , � < / / m < 0 4 � � � % �� & , & 2 & % �� & , & 2 & 2 % �� &
, & 2 2 % �� & , & 2 2 % �� & , & 2 2 % �� &
, & 2 / 2 % �� & , & 2 / 0 % �� & , & 2 / 0 2 % �� & , 0 3 0 % �� & , 0 3 0 % �� & , 0 3
0 B 6 % �� & , 0 3 0 1 3 % �� & , 0 3 0 1 3 � � B � 0�� 0ffffff�?ffffff�? �? �?333333�?333333�?% �� & �
|
|||
xlm_sheet_02.bin |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet3.bin | 6260 bytes |
SHA-256: e37bf8a7a6e81f7811bb1cee2f6fce3079bcd6a697aefbcf24f3cb728a30c452 |
|||
Preview scriptFirst 1,000 lines of the extracted script
� � � @ �������� � # 5 ; � % �� & � � @ d d � $ � � % �� & � � , � < 4 4 � < 5 ; � � � % �� & , 5 ; � 5 $ � �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� U Z 2� Z ?� Z ?� : 2�B `� � 8 $ � ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� Z & =�Z B� Z 2� Z * =� Z 2� Z ( =� Z ) =� Z ( =� Z
2� Z ( =� Z ) =� Z ( =� Z 2� Z ( =� Z , =� Z ) =� Z ( =� h t t p s : / / Z 2� Z ( =� Z ) =� Z ( =� Z :� Z ( =� Z , =� Z , =� Z + =� : 0�B `� � A ��A/ % �� & , 5 ; 5 % �� & , 5 ;
)5 Z # B�: 2�B `�
8 : 0�A5 % �� & , 5 ;
C5 0 Z @�Z @� Z @� B : 2�B `� � ; $ � �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� Z 2�Z :� Z # :� Z $ :� Z % :� Z ! :� Z " :� Z ! :� Z :� Z :� :
0�B `� % �� &
, 5 ;
)5 Z ( B�: 2�B `� � ; $ � �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.