MALICIOUS
100
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The critical heuristic firing for OOXML_XLM_MACROSHEET indicates the presence of Excel 4.0 macros, a known method for executing malicious code. The VBA macro code contains functions that save worksheet data to external files with user-specified names, suggesting a data exfiltration or staging mechanism. The presence of a NOP-equivalent sled also suggests potential shellcode execution.
Heuristics 3
-
Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
-
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x61 bytes
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas0aa94a1b93bbea3630733076c312c626131e99497d98750357798d82cc6fa23a |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1621 bytes |
vbaProject_00.bine8f5b9e253ea7549caea1979a439325f1a3605bf1f1116ac3c928dc5110f8be8 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 16896 bytes |
xlm_sheet_00.binaa849ed5cbc7fd9f183daf7a4529cadafb4980ee345834d380b69306a8403922 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.bin | 1432 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.