MALICIOUS
102
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The sample is an Excel 4.0 macro sheet (XLM) that uses an 'enable content' lure to trick the user into executing its payload. The macro sheet contains embedded URLs that are likely used to download and execute a second-stage payload via rundll32.exe or regsvr32.exe. The XLM macro itself is obfuscated, but the presence of the Auto_Open payload lure and the embedded URLs strongly indicate a downloader or droppper functionality.
Heuristics 4
-
XLM Auto_Open workbook with payload URL or enable-content lure critical OLE_XLM_AUTOOPEN_PAYLOAD_LUREWorkbook contains an Excel 4.0 macro sheet with Auto_Open / Auto_Close and also exposes a payload URL or enable-content lure in the OLE bytes. This combination is a high-confidence XLM downloader/social-engineering pattern even when formula recovery cannot decode the full macro chain.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://aravindanavada.com/AHt5r3T0VSlq/solo.html In document text (OLE body)
- https://mrcrgroup.com/sOyQynNJYBY/solo.htmlIn document text (OLE body)
Open this report in the interactive analyzer, or submit your own file for analysis.