MALICIOUS
230
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
T1071.001 Web Protocols
This Excel document contains Excel 4.0 macros, which are known to be used for malicious purposes. The Workbook_Open macro triggers the execution of these macros. The critical heuristic 'OOXML_XLM_DANGEROUS_FN' indicates the use of dangerous XLM formula APIs like REGISTER and GOTO, which can be used to download and execute payloads. The embedded URL http://162.248.225.122/0 is highly suspicious and likely serves as the source for the payload. The script attempts to download a second-stage payload from this URL.
Heuristics 8
-
Excel 4.0 macro sheet (2 sheet(s)) critical OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
-
Dangerous XLM formula APIs: REGISTER, GOTO, EXEC, HALT critical OOXML_XLM_DANGEROUS_FNExcel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
VBA project inside OOXML medium OOXML_VBADocument contains vbaProject.bin — VBA macros present
-
External relationship medium OOXML_EXTERNAL_RELExternal target in xl/externalLinks/_rels/externalLink1.xml.rels: IC-Office-Work-Schedule-Template16
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEETExcel workbook contains 7 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://162.248.225.122/0
- http://schemas.openxmlformats.org/spreadsheetml/2006/main
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
- http://schemas.microsoft.com/office/spreadsheetml/2014/revision
- http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
- http://schemas.microsoft.com/office/excel/2006/main
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision6
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basc0c60e346d4801111e046b4acb1d8144259c1bf12e21684870e5fea861d54208 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2415 bytes |
vbaProject_00.bin04b47f1f5ed86064c9415e567fc8caf9f34084918f788d60b8e2338bf5547f31 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 16896 bytes |
xlm_sheet_00.xml7e5c746ebcc9a11e2f40f27f1e7c7308e494b3570e0e5d40daf31200b16e41c7 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml | 2245 bytes |
xlm_sheet_01.xml4e31892eaff02827de62da833c17b8112bcc26252e18a89b1a8bf7faeeca8ae2 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml | 1735 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 shell/COM execution token(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.