MALICIOUS
182
Risk Score
Heuristics 4
-
Excel 4.0 macro sheet (1 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
-
Excel 4.0 macro sheet stored under disguised package path critical OOXML_XLM_DISGUISED_RELATIONSHIPOOXML package declares an xlMacrosheet relationship whose target is outside the canonical xl/macrosheets/ path. Excel follows the relationship type, while path-only scanners can miss the macro execution surface.
-
XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOADAn Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://149.3.170.55/sd-lod/.xet Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.bin |
xlm-macrosheet | OOXML XLM macro sheet: xl/themepic/sheet1.bin | 1003331 bytes |
SHA-256: 7488e7192c16bd3a42ce27e2414e876ada39ba296e21a8ed64a4266741130110 |
|||
Preview scriptFirst 1,000 lines of the extracted script
� � � @ �������� � � � � � � @ c c � $
� � % �� & � � � < � < � < � < �
< � < \ � < ] ] � < ^ �? � � � % �� & F
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F % �� & F
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F % �� & F
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F % �� & F
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F % �� & F
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F % �� & F
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & F
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & F
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & F
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & F
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� &
F
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & F
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & F
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� &
F
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & F
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & F
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & ! 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & " 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & # 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & $ 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & % 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & & 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & ' 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & ( 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & ) 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & * 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & + 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & , 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & - 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & . 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & / 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & 0 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & 1 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & 2 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & 3 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & 4 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & 5 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & 6 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & 7 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & 8 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & 9 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & : 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & ; 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & < 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & = 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & > 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & ? 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & @ 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & A 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & B 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & C 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & D 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & E 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & F 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & G 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & H 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & I 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & J 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & K 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & L 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & M 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & N 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & O 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & P 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & Q 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & R 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & S 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & T 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & U 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & V 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & W 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & X 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & Y 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & Z 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & [ 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & \ 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & ] 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & ^ 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & _ 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & ` 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & a 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & b 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & c 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & d 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & e 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & f 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & g 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & h 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & i 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & j 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & k 6
! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 % �� & l 6
! " # $ % & ' ( ) *
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.