Malware Insights
The critical heuristic 'OLE_VBA_ACTIVEX_XLM_CELL_STAGER' indicates that VBA ActiveX events are used to execute worksheet-decoded XLM formulas. The VBA script confirms this by using `ExecuteExcel4Macro` to run obfuscated formulas. The script's intent is to decode and execute these formulas, which is a common technique for downloading and running further malicious content. The `documentviewer_Layout` subroutine calls `Dview` twice, suggesting an attempt to ensure execution. The `ActiveWorkbook.Close 0` command at the end of `Dview` and `documentviewer_Layout` indicates the workbook will close after execution.
Heuristics 2
-
VBA ActiveX event runs worksheet-decoded XLM formulas critical OLE_VBA_ACTIVEX_XLM_CELL_STAGERVBA code attached to an ActiveX/UserForm event reconstructs formula text from worksheet constants using Split/Replace/Mid or character shifting, then executes it through ExecuteExcel4Macro or Run. This is a high-confidence malware stager that hides XLM formula execution in sheet cells; it is not a document-parser CVE.
-
VBA project inside OOXML medium OOXML_VBADocument contains vbaProject.bin — VBA macros present
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.base09f84ddaba8607cdd6c17b98706d0aef2017354d19bcaefcf11bb1fc733d1c0 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1223 bytes |
vbaProject_00.binfb113f5eb1df8df03efa78a9d864ced5e85acea4a799a7acc39aa50138c30925 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 15360 bytes |
emf_00.emf18442f66fc184308368fb113b1c28494dce7331a052469405fcf94f2ee8085b5 |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 2024 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.