MALICIOUS
108
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic for Applications
T1204.002 Malicious File
The file contains legacy Excel 4.0 (XLM) macros, indicated by the OLE_XLM_AUTOOPEN and OLE_XLM_LEGACY_MACRO_VIRUS heuristics. These macros are designed to download and execute a second-stage payload from the URLs http://150.1.154.4/My and http://150.1.154.4/WINDOWS\TEMP\ME-08-P.xls. Although VBA macros are present, they contain no executable statements, suggesting the primary malicious functionality resides within the XLM macros.
Heuristics 4
-
Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUSWorkbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.
-
Excel 4.0 (XLM) Auto_Open + macro sheet high OLE_XLM_AUTOOPENWorkbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
-
VBA project contains no executable statements low OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://150.1.154.4/My
- http://150.1.154.4/WINDOWS\TEMP\ME-08-P.xls
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas63a2e15f033a67d9ad16642d9c6b6d7f322e2e127de587618e34746664bf1957 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1506 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.