MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
T1105 Ingress Tool Transfer
The VBA macros within this XLSM file contain a critical 'Shell()' call and reference 'cmd.exe', indicating execution of system commands. Specifically, the script uses 'certutil' to download 'putty.exe' from the provided URL to the user's AppData directory and then executes it. This suggests the document is a downloader for a secondary payload, likely a backdoor or RAT, disguised as a legitimate Excel file.
Heuristics 6
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
LOLBin reference in VBA critical OLE_VBA_LOLBINLOLBin reference in VBA
-
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBA
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas3249a77532d76a45f5c1263933a42c75b3a7d187951a76d7e6ba335288896a26 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1383 bytes |
vbaProject_00.bin8d267b65678e8accf91aad4495b2c2e1c5945121b687f7b3d1c21cfde7e30859 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 19968 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.