MALICIOUS
68
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The critical heuristic 'OOXML_XLM_MACROSHEET' indicates the presence of Excel 4.0 macros within the XLSX file. These macros are often used to download and execute malicious payloads. While the macro content is truncated, the presence of XLM macros strongly suggests an attack pattern involving malicious document execution, likely delivered via spearphishing.
Heuristics 2
-
Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEETMalformed OOXML local headers contain an Excel 4.0 (XLM) macro sheet. XLM was a major Office malware vector during 2020-2022 and is rarely used in modern legitimate workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
-
Malformed OOXML package with recoverable local headers low OOXML_MALFORMED_ZIP_LOCAL_HEADERSThe OOXML ZIP central directory is invalid or missing, but local file headers expose a recoverable Office package. This can create parser divergence between tolerant Office/ZIP readers and scanners that rely only on the central directory.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_04.bin |
xlm-macrosheet | Malformed OOXML XLM macro sheet: xl/macrosheets/sheet1.bin | 22875 bytes |
SHA-256: c2bd7aee509cbbe4a117754448290f7bcc02b11a7c4fd1f5e11a3b34d91d1345 |
|||
Preview scriptFirst 1,000 lines of the extracted script
� � � @ �������� � � � � � � @ d � $ � � % �� & � ���� , � % �� & , � [ % �� & , �
U B l y N u M x C b Q N H Z Dx � D� � D� � D� � B X % �� & , �
= * W s P n t p B F T o q z $� � B X � � % �� & , �
$ � B � � % �� & , �
$� � B � J - % �� & , � \ e % �� &
, � � % �� & , � {
%� C # B a�B 7 % �� & , � : $ % �� & , � � % �� & , � � % �� & , � � % �� & , � � % �� & , � , a @% �� & , � " % �� & , � x % �� & , � � ( % �� & " , � � % �� & $ , � � @% �� & % , � . z � + % �� & & , � % �� & ' , � e % �� & * , � � % �� & + , � �
% �� & , , �
" % �� & - , � � % �� & . , � t @ � & � % �� & 0 , � �
� � # % �� & 1 , � 1 % �� & 3 , � + % �� & 4 , � ! m
e� R l y N u M x C b Q N H Z D� � Df ` D0 � D" � D� � D� z B X % �� & 5 , �
=� * W s P n t p B F T o q z $� � B X % �� & 6 , � �
� $ � B � % �� & 7 , �
� $� � B � % �� & 8 , � G � % �� & ; , �
uG b l y N u M x C b Q N H Z D� � D0 � DS � D� � D� D� � D� D� � B X % �� & < , �
=G * W s P n t p B F T o q z $� � B X % �� & = , � 9
G $ � B � % �� & > , �
G $� � B � % �� & @ , � @ �|@ ^ � % �� & A , � @ @% �� & B , �
u& b l y N u M x C b Q N H Z D x Dd ` D� H D� � D� � D� � D� n D. t B X l % �� & C , �
=& * W s P n t p B F T o q z $/ ) B X % �� & D , �
& $ � B � o q ) | � ( % �� & E , �
& $ � B � % �� & K , � � % �� & M , � ' @% �� & T , - � - * % �� & U , - � K ' � % %
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.