MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The sample is an Excel 4.0 (XLM) macro-enabled workbook. Heuristics indicate the presence of an Auto_Open macro designed to execute a payload or lure the user into enabling content. The document body displays a table of contents and product summary, a common tactic to disguise malicious macro execution. The embedded URLs, though confirmed benign, are associated with the Auto_Open heuristic, suggesting a potential download or execution vector.
Heuristics 4
-
XLM Auto_Open workbook with payload URL or enable-content lure critical OLE_XLM_AUTOOPEN_PAYLOAD_LUREWorkbook contains an Excel 4.0 macro sheet with Auto_Open / Auto_Close and also exposes a payload URL or enable-content lure in the OLE bytes. This combination is a high-confidence XLM downloader/social-engineering pattern even when formula recovery cannot decode the full macro chain.
-
Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPENWorkbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
-
Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUSWorkbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://us.f145.mail.yahoo.com/ym/WINDOWS\TEMP\MEADJOHNSON.xls
- http://us.f145.mail.yahoo.com/ym/WINDOWS\TEMP\BCW12M06-2002.xls
- http://us.f145.mail.yahoo.com/ym/WINDOWS
Open this report in the interactive analyzer, or submit your own file for analysis.