MALICIOUS
60
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The file was identified as an Excel 4.0 macro sheet, which is a known method for executing malicious code. The embedded XLM macros are likely intended to download and execute a secondary payload, though the specific commands are truncated and obfuscated in the provided evidence. This technique is commonly associated with initial access via spearphishing attachments.
Heuristics 1
-
Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.bin |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.bin | 22136 bytes |
SHA-256: ee3d026d9a70d28489986ec4df658470a699fe149b38adafe503669ba25f8d6e |
|||
Preview scriptFirst 1,000 lines of the extracted script
� � � @ �������� � Z � % �� & � � @ d � $ � � � � � % �� & � ���� , � < �� < �? $ � � % �� & , % �� & , % �� & , > + I' @ # #! #� #� #� #� % �� & , ! % �� & ,
@ C % �� &
, � � I� @ #� @ #I #* @ #� @ #� #� #> # #} #� #� #< # #� #� # #� #~ #� #f #O #i #� #N #? #� #� #� #b #V # #� #~ #� #I #� #% #� #= #G # #� @ #� #� # # #T #� # @ #J #H #� #� # #t #< #9 @ #r @ #� #H #^ #t #3 #M # #� #Q #< #p #� #} #K # #
# #� #. % �� & , " % �� & , # % �� & , > + I' @ #2 # #� #� #� #� % �� & , $ % �� & ,
@ C/ % �� & , � � I� @ #� @ # #* @ #� @ #� #L #> # #} #� #� #< # #H #� #� #d #a # #� #� #� #g # #j #� #H #( #� #X #U # #� #� #� #I ## #$ #� #� #c #< #X #[ @ #h #� # #T #� # #� # @ #H #� #z #m #< #: @ #s #h #H #_ #4 #m # # #� #P #Y #h #| # #{ # # #' % �� & , % % �� & , & % �� & , D 1 I- @ #� #� #B #� #� #� #� % �� & , ' % �� & ,
@ Cx % �� & " , � � I� @ #; @ #� #+ @ #C @ #� #� #� # #� #� # #� #� #� #] #� #� #� #� #k #� #� #� #w # #� #� #� #� #� #y #� #� #� #� #v @ # #
#� #� #� # @ #� #& #� #� #� #� #� #� @ #� @ # #� #& #� #� #� # #� #� #� #h #� #\ #� # #� #� % �� & $ , ( % �� & & , ) % �� & ( , * % �� & * , + % �� & , ,
@ C1 % �� & . , , % �� & 0 , - % �� & 2 , . % �� & 4 , > + I' @ #6 # #� #� #e #, % �� & 6 , / % �� & 8 ,
@ C0 % �� & : , � � I� @ #� @ # #* @ # # #� @ #� #F #o #� #� #� #@ # #} #7 #� #� #� # #� #� #� #k #� #� #� # #l #) #� #� #W #� # #� #q #� #% #� #D #" #� @ #E #� #� # #S #� # @ #l #� #� # #n #@ #8 @ #A #E #l #` #5 #n #� # #� #R #Z
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.