MALICIOUS
100
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic for Applications
T1059.001 PowerShell
The critical heuristic 'OOXML_XLM_MACROSHEET' indicates the presence of Excel 4.0 macros, which are known for their malicious capabilities. The VBA script within 'macros.bas' explicitly calls functions to save 'Sheet2' as an address-based text file and 'Sheet1' as an XLS file, using the provided 'Drawing' argument as the base filename. This suggests a data exfiltration or staging mechanism. The 'SC_NOP_EQUIV_SLED' heuristic is less specific but can sometimes indicate shellcode or exploit-related activity.
Heuristics 3
-
Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
-
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x61 bytes
-
VBA project inside OOXML medium OOXML_VBADocument contains vbaProject.bin — VBA macros present
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas0aa94a1b93bbea3630733076c312c626131e99497d98750357798d82cc6fa23a |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1621 bytes |
vbaProject_00.bina1010be495c64d063d63651530dd5df0c5661f03c58291b392c55bbecd1655f4 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 16896 bytes |
xlm_sheet_00.bin698779882c9b02f9310d317b6e0fe21494500ae7cb3ce968c77d24c8a0aa4844 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.bin | 1432 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.