MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an Excel spreadsheet containing both Excel 4.0 (XLM) macros and VBA macros. The XLM macros include an Auto_Open entry, and the VBA macros contain CreateObject and CallByName calls, indicating malicious intent. The VBA script attempts to construct a URL by concatenating strings: "htt" & "ps:" & "//sherpa" & "com/wp-content/uploads/2023/09/test.xls", which resolves to https://sherpa.com/wp-content/uploads/2023/09/test.xls. This URL is likely used to download and execute a second-stage payload.
Heuristics 5
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txtec9c77fa230626371a5c1cbb524e132cafd43f9462e911dc87137b0b3e491341 |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 7584 bytes |
macros.bas59274557647816dd450d1c52b550d32aad5b4d813e703f9dbe419cc70992ff6e |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5862 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.