MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
The XLSM file contains VBA macros that leverage an ActiveX control to launch a decoded Excel4 macro. This technique is commonly used to download and execute additional malicious content. The presence of 'ActiveX event launches decoded Excel4 macro' and 'ExecuteExcel4Macro' heuristics strongly suggests this behavior. No specific family could be identified, and no external IOCs were extracted.
Heuristics 4
-
VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGERVBA code attached to an ActiveX/UserForm event decodes strings from worksheet cells through a Mid/Asc/Chr character-shift loop and passes the recovered formula text to ExecuteExcel4Macro. This is a high-confidence macro stager that bridges VBA event activation into XLM formula execution rather than a specific Office parser CVE.
-
ActiveX control high OOXML_ACTIVEXMalformed OOXML local headers contain ActiveX controls — can execute code
-
VBA project inside OOXML medium OOXML_VBAMalformed OOXML local headers contain vbaProject.bin — VBA macros present
-
Malformed OOXML package with recoverable local headers low OOXML_MALFORMED_ZIP_LOCAL_HEADERSThe OOXML ZIP central directory is invalid or missing, but local file headers expose a recoverable Office package. This can create parser divergence between tolerant Office/ZIP readers and scanners that rely only on the central directory.
Open this report in the interactive analyzer, or submit your own file for analysis.