MALICIOUS
100
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Service Execution: Service Control Manager
T1204.002 Malicious File: User Execution
T1105 Ingress Tool Transfer
The sample contains embedded Excel 4.0 macros that utilize dangerous functions like CALL and EXEC to download and execute a payload from the URL https://www.smowengroup.com/fer/iertef.php. The document body confirms the intent to download a file named 'uuhof.exe' and execute it. This indicates a downloader or droppper functionality.
Heuristics 3
-
Dangerous XLM formula APIs: RUN, HALT, CALL critical OOXML_XLM_DANGEROUS_FNExcel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
-
Excel 4.0 macro sheet (1 sheet(s)) high OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.smowengroup.com/fer/iertef.php
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.xml2eb4ebb455ca52627c4d9e9decc2dd673b8346dadf018c3bfa7d9f7a69071f1f |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.xml | 3998 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.