MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains Excel 4.0 macros, which are known to be used for malicious purposes. These macros reconstruct and execute URLs pointing to a second-stage payload. The primary intent appears to be downloading and executing arbitrary code from the provided URLs.
Heuristics 4
-
Excel 4.0 macro sheet (1 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
-
XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOADAn Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
-
URL reconstructed from XLM cell array (2 URLs) critical OOXML_XLM_CELL_ARRAY_URLExcel 4.0 macro sheet stages its payload URL across individual numeric cells (one ASCII charcode per cell), inside an embedded HTA that uses VBScript Chr()/&-concat obfuscation, or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF12 record stream of every worksheet and macrosheet part and decoding RK/inline-string/shared-string cells in row-major and column-major order plus FORMULA cell-reference concatenation in token order.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ssmdevelopers.in/4RaxIGAPtfPM/yu.html Referenced by macro
- https://ramblerimport.com/hz4UhluT5au/yu.htmlReferenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.bin |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin | 114422 bytes |
SHA-256: 75671d724d6899f82f10be918456f4b8569f54253b0a4110770ac348ebb331f6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
� � � @ �������� � I � % �� & � � @ d � $ � � % �� & � I , � < / I < 0 6 I < 7 �? I � � % �� & , 6
! " # % �� & , 6
! " # % �� & , 6
% �� & , 6
4 % �� & , 6
4 % �� & , 6
6 % �� & , 6
� 4 - h t t p s : / / s s m d e v e l o p e r s . i n / 4 R a x I G A P t f P M / y u . h t m l ] - h t t p s : / / s s m d e v e l o p e r s . i n / 4 R a x I G A P t f P M / y u . h t m l % �� & , 6
� 4 - h t t p s : / / r a m b l e r i m p o r t . c o m / h z 4 U h l u T 5 a u / y u . h t m l ] - h t t p s : / / r a m b l e r i m p o r t . c o m / h z 4 U h l u T 5 a u / y u . h t m l % �� & , 6
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.