MALICIOUS
62
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The presence of an Excel 4.0 macro sheet (OLE_XLM_AUTOOPEN) indicates the file is designed to execute code upon opening. The macro sheet contains calls to functions like CALL EXEC, which are indicative of macro execution. The document body contains URLs that are likely used to download a secondary payload. The specific functions and strings suggest a downloader or droppper functionality.
Heuristics 3
-
Excel 4.0 (XLM) macro sheet uses dangerous capability functions high OLE_XLM_DANGEROUS_FN_STATICWorkbook contains an Excel 4.0 macro sheet whose formulas reference two or more dangerous capability functions (e.g. CALL into a Win32 API such as URLDownloadToFile, EXEC to launch a process, REGISTER an external DLL procedure, or FWRITE/FOPEN to drop a file) with an Auto_Open / Auto_Close auto-execution name. This is the canonical XLM downloader/dropper shape and is recovered directly from the BIFF records, so it fires even when the full macro chain cannot be deobfuscated.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://actualitatea-crestina.ro/vAaimKTJbZgA/ork.html Referenced by macro
- https://baro-care.de/AcQy6YJYOdr/ork.htmlReferenced by macro
Open this report in the interactive analyzer, or submit your own file for analysis.