MALICIOUS
100
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1566.002 Spearphishing Attachment
The critical heuristic 'OLE_VBA_ACTIVEX_XLM_CELL_STAGER' indicates that VBA code is used to execute Excel 4.0 (XLM) formulas. The VBA script 'Module1' contains a function 'Decrement' which appears to be responsible for constructing and executing these XLM formulas. It reconstructs a string 'Au_tv5' which is likely a named range or macro name used to trigger the execution. The script also attempts to obfuscate its actions by using string concatenation and randomisation, and ultimately closes the workbook, suggesting a downloader or stager functionality.
Heuristics 3
-
VBA ActiveX event runs worksheet-decoded XLM formulas critical OLE_VBA_ACTIVEX_XLM_CELL_STAGERVBA code attached to an ActiveX/UserForm event reconstructs formula text from worksheet constants using Split/Replace/Mid or character shifting, then executes it through ExecuteExcel4Macro or Run. This is a high-confidence malware stager that hides XLM formula execution in sheet cells; it is not a document-parser CVE.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt3b047e7663da1a8f3a93d68a5822b3f857c6c147f26be523495c9a198f7227cf |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 50488 bytes |
macros.basae317a54700eb2f955a62fd4ce62a46622ceed5880c768abeade8bf5fcaa0b45 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1562 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.