MALICIOUS
60
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.004 Visual Basic for Applications
The file is an Excel 4.0 macro sheet (XLM) and contains VBA macros, indicated by the OLE_XLM_AUTOOPEN and OLE_VBA_MACROS heuristics. The VBA macro code includes functions like 'ZapiszSie' which saves the workbook as 'B_PLUS.VBA' and attempts to save it again using a variable 'PLUS_Nazwa', suggesting an attempt to save or copy malicious components. The presence of obfuscated VBA strings and the XLM macro sheet structure points towards a downloader or information-stealing malware.
Heuristics 3
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt3bf1d33dd64e6a3821038c5290618c259d17a3bcc0b4d224f8ce1711e9a6f58a |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 1637 bytes |
macros.bas83db56350b9b659db943c300ca9d455a5ef3d11a5c4a074aedcd618563e03e31 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 656533 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 21 Chr/ChrW string-construction calls.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.