MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file contains Excel 4.0 macro sheets, which are known to be used for malicious purposes. The heuristic 'OOXML_XLM_REASSEMBLED_PAYLOAD' indicates that the macro code was likely used to download and execute a second-stage payload from a URL. The specific URL is truncated but begins with 'https://'.
Heuristics 2
-
Excel 4.0 macro sheet (3 sheet(s)) critical 1 related finding OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
-
XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOADAn Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.bin |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin | 5841 bytes |
SHA-256: 40be9070ee56a0040fc00348db67d6627ee86b79694c9e18182b3e6501674e14 |
|||
Preview scriptFirst 1,000 lines of the extracted script
� � � @ �������� � � F � � � @ d � $ � � % �� & � � , � < 8 � < 9 9 � < : B � < C �? � � � % �� & , : C : < = > ? @ B % �� & , : C : < = > ? @ B % �� & , : C : < = > ? @ B % �� & , : C : < = > ? @ A B C % �� & , : C : < =
> ? @ A B C % �� & , : F : < = > ? @ A B C D E F % �� & ! , : F :
< = > ? A B C D E F % �� & " , : F : < = > ? @ A B C D E F % �� & # , : F : < = > ? @ A B C D E F % �� & $ , : F : = > ? @ A B C D E F % �� & % , : F : = > ? @ A B C D E F % �� & & , : F : = > ? @ A B C D E F % �� & ' , : F > ? @ A B C D E F % �� & ( , : F =
A FB L . L d e c v s b g v r s x L x r g x g B s C D E F % �� & ) , : F : = A B C D E F % �� & * , : F : = A B C D E F % �� & + , : F : = A B C D E F % �� & , , : F = A B C D E F % �� & - , : F A B C D E F % �� & . , : F A B C D E F % �� & / , : F A B C D E F % �� & 0 , 5 F A B C D E F % �� & 1 , 5 F 5 A B C D E F % �� & 2 , 5 F A B C D E F % �� & 3 , 5 F A B C D E F % �� & 4 , 5 F A B C D E F % �� & 5 , 5 F A B C D E F % �� & 6 , 5 F A B C D E F % �� & 7 , 5 F B % �� & 8 , 5 F B % �� & 9 , 5 F B % �� & ; , 5 F B % �
... (truncated)
|
|||
xlm_sheet_01.bin |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin | 1120 bytes |
SHA-256: 7e38255c40ab35edaaeb5a47d841e04a4d9ca0e7e276885fb7300011bc354388 |
|||
Preview scriptFirst 1,000 lines of the extracted script
� � � @ �������� � & 4 � � � @ d � $ � � % �� & � � , � < / / m < 0 4 � � � % �� & , & 2 & % �� & , & 2 & 2 % �� &
, & 2 2 % �� & , & 2 2 % �� & , & 2 2 % �� &
, & 2 / 2 % �� & , & 2 / 0 % �� & , & 2 / 0 2 % �� & , 0 3 0 % �� & , 0 3 0 % �� & , 0 3
0 B 6 % �� & , 0 3 0 1 3 % �� & , 0 3 0 1 3 � � B � � 0ffffff�?ffffff�? �? �?333333�?333333�?�
|
|||
xlm_sheet_02.bin |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet3.bin | 6202 bytes |
SHA-256: 0706683577b51d9b3428ba9eff330731adfb902e0c9310c085b1551194bfdaad |
|||
Preview scriptFirst 1,000 lines of the extracted script
� � � @ �������� � # 5 ; � � � @ d d � $ � � % �� & � � , � < 4 4 � < 5 ; � � � % �� & , 5 ; � 5 $ � �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� U Z 2� Z ?� Z ?� : 2�B `� � 8 $ � ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� Z & =�Z B� Z 2� Z * =� Z 2� Z ( =� Z ) =� Z ( =� Z
2� Z ( =� Z ) =� Z ( =� Z 2� Z ( =� Z , =� Z ) =� Z ( =� h t t p s : / / Z 2� Z ( =� Z ) =� Z ( =� Z :� Z ( =� Z , =� Z , =� Z + =� : 0�B `� � A ��A/ % �� & , 5 ; 5 % �� & , 5 ;
)5 Z # B�: 2�B `�
8 : 0�A5 % �� & , 5 ;
C5 0 Z @�Z @� Z @� B : 2�B `� � ; $ � �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� Z 2�Z :� Z # :� Z $ :� Z % :� Z ! :� Z " :� Z ! :� Z :� Z :� :
0�B `� % �� &
, 5 ;
)5 Z ( B�: 2�B `� � ; $ � �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.