MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic for Applications
T1059.001 PowerShell
T1204.002 Malicious File
The critical heuristic firing for 'OOXML_XLM_MACROSHEET' indicates the presence of Excel 4.0 macros, which are often used for malicious purposes. The VBA macro contains a 'CreateObject' call, suggesting dynamic execution. The presence of 'x.xlsb' as an external relationship further points to the download of a secondary malicious file. The overall intent appears to be the execution of a downloaded payload.
Heuristics 4
-
Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA project inside OOXML medium OOXML_VBADocument contains vbaProject.bin — VBA macros present
-
External relationship medium OOXML_EXTERNAL_RELExternal target in xl/pivotCache/_rels/pivotCacheDefinition1.bin.rels: x.xlsb
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas09817833dcb7a77fc8b62992cf611d46ee9d7f56f2520b0d46d294333f85e24b |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 972 bytes |
vbaProject_00.binfda9a91d8f6fbfc571f90ccacc6f7be0b08a75ce1b6566da6281ce951e1f0ca9 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 13824 bytes |
xlm_sheet_00.bincf30638f8e715409a6e92c1d7e764925315c1e6543bbe9445c29bf261b027724 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.bin | 2776 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.