MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.003 Windows Command Shell
The critical heuristic 'OLE_VBA_ACTIVEX_XLM_CELL_STAGER' indicates that VBA ActiveX events are used to run worksheet-decoded XLM formulas. The VBA script 'salva_stampa_0' iterates through constants in the used range, decodes them using the 'chao_s' function, and then executes them via 'ExecuteExcel4Macro'. This process is designed to download and execute a secondary payload, although the specific URL or command is obfuscated within the script.
Heuristics 2
-
VBA ActiveX event runs worksheet-decoded XLM formulas critical OLE_VBA_ACTIVEX_XLM_CELL_STAGERVBA code attached to an ActiveX/UserForm event reconstructs formula text from worksheet constants using Split/Replace/Mid or character shifting, then executes it through ExecuteExcel4Macro or Run. This is a high-confidence malware stager that hides XLM formula execution in sheet cells; it is not a document-parser CVE.
-
VBA project inside OOXML medium OOXML_VBADocument contains vbaProject.bin — VBA macros present
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas0c5964b70d3c2e1b33a9c60cf703da7d490e9b731d448436f59fd3a8a633ee86 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1521 bytes |
vbaProject_00.bind30de5b97997cf81dffefda9412ee322c0072597374700599521ad27d7849e5a |
vba-project | OOXML VBA project: xl/vbaProject.bin | 17408 bytes |
emf_00.emf4609916d8bdbc79e29612828ccd046cae14d7ddc0bfea0db84520ad5f180a00d |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 1408 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.