MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1218 Signed Binary Proxy Execution
The file contains Excel 4.0 macros, which are known to be used for malicious purposes. Heuristics indicate suspicious invocations of cmd.exe and PowerShell, suggesting the macros are designed to execute arbitrary commands. The embedded URL likely serves as a distribution point for further malicious payloads. The presence of these elements strongly suggests a downloader or initial access attack pattern.
Heuristics 5
-
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMANDDocument contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://lankarecipes.com/Sparc.jp
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txtf85bdc0d73cfdc6c468b1fd79b816c7f1240a925a8c84e67676697bfd7c3aca7 |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 2760 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.