MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file contains multiple Excel 4.0 macro sheets, which are reassembling a payload from CHAR() and split formulas. The critical heuristics indicate that these macros are designed to download and execute a payload from the specified URLs, likely resulting in the execution of a second-stage malware. The ClamAV detection further confirms its malicious nature as a downloader.
Heuristics 3
-
Excel 4.0 macro sheet (12 sheet(s)) critical OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
-
XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOADAn Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
-
ClamAV: Xls.Downloader.GreenOffice12210-9918618-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.GreenOffice12210-9918618-0
Extracted artifacts 12
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.binb5aba48cdbc925dbf4cf1fd099252f76e1ccde07778d66ad239dd029d3f4e959 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin | 363 bytes |
xlm_sheet_01.bin514ba565434569c0a538370e537b6c9f5c528e1aa38f0e635f27bd199bac7778 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.bin | 3023 bytes |
xlm_sheet_02.bin047efb69be3aabac5e32c5468a16304585fb8200ae4e3ee22b4ad91ad823f54c |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin | 1787 bytes |
xlm_sheet_03.bin0f1e1280117d34354f071590ae05ed4b803774dbb89e255f805496835eaedbb3 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet3.bin | 618 bytes |
xlm_sheet_04.binf93099eafdd1b1c882fd3d99b878ec6f1a02981e1d97ffc55a5317c481c3f9a7 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet4.bin | 618 bytes |
xlm_sheet_05.bin02c209dd2dc5e6979e99f6e4a3b776670466e8f2322cc37d317ff8ccfc4b675d |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet5.bin | 964 bytes |
xlm_sheet_06.bin9546b38eaf75fa2c0d2b9c568cc5cba1bb59a95b391668fa432a2be08c195bcf |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet6.bin | 650 bytes |
xlm_sheet_07.bin62df625d44e0eb5a196e883fba76b1e7243ad8cf79b1303b4b2e74c9f0db97ac |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet7.bin | 423 bytes |
xlm_sheet_08.bin861f04f1095e7942cb333088a674476c30702f97a737f71c0139aa7a13b90a77 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet2.bin | 754 bytes |
xlm_sheet_09.bin8301bc5278f0fa8a1f30b666f2bae149b2af7f7e8725fc411f414d663b46ea68 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet3.bin | 679 bytes |
xlm_sheet_10.bin987c911348779e2ffc43c7db23b3310492dcbfccbd081b8f655607c24dbe81e5 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet4.bin | 679 bytes |
xlm_sheet_11.bin94af29dac79b320dd48dd0c00ef963dea5cdfa0950ab7c96c958da08ff885679 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet8.bin | 757 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.