MALICIOUS
100
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.005 Visual Basic
T1059.005 Visual Basic
The critical heuristic 'OLE_VBA_ACTIVEX_XLM_CELL_STAGER' indicates that VBA code is used to execute decoded XLM formulas. The VBA macro 'hellioso' reconstructs a string for execution using 'Application.OnTime Now, "he" & "llioso"', which then appears to decode constants from the worksheet into a string that is executed. This process is designed to download and execute a second-stage payload. The XLM macro sheet contains numerous numeric constants that are likely used in the decoding process.
Heuristics 3
-
VBA ActiveX event runs worksheet-decoded XLM formulas critical OLE_VBA_ACTIVEX_XLM_CELL_STAGERVBA code attached to an ActiveX/UserForm event reconstructs formula text from worksheet constants using Split/Replace/Mid or character shifting, then executes it through ExecuteExcel4Macro or Run. This is a high-confidence malware stager that hides XLM formula execution in sheet cells; it is not a document-parser CVE.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt18eba44fd636e5b01feeac838a4be2dccf08c66a269a5cd0b71fa30ac86610d5 |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 54374 bytes |
macros.bas6d3245b490a8622bdb63a1b0140eb24ec2e3278b3decfed0717621f0bcbea084 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1623 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.