MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file contains Excel 4.0 macros that are designed to download and execute a payload from one of the two provided URLs. The ClamAV detection explicitly identifies this as Trickbot, a known banking trojan. The macros reconstruct URLs from cell arrays, indicating a downloader functionality.
Heuristics 5
-
ClamAV: Xls.Downloader.Trickbot07210-9880007-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Trickbot07210-9880007-0
-
Excel 4.0 macro sheet (1 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
-
XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOADAn Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
-
URL reconstructed from XLM cell array (2 URLs) critical OOXML_XLM_CELL_ARRAY_URLExcel 4.0 macro sheet stages its payload URL across individual numeric cells (one ASCII charcode per cell), inside an embedded HTA that uses VBScript Chr()/&-concat obfuscation, or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF12 record stream of every worksheet and macrosheet part and decoding RK/inline-string/shared-string cells in row-major and column-major order plus FORMULA cell-reference concatenation in token order.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://carpascapital.com/gBPg8MtsGbv/ka.html Referenced by macro
- https://gruasphenbogota.com/C74hwGGxi/ka.htmlReferenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.bin |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin | 114341 bytes |
SHA-256: 65b31383ca3393f64442772037b98b4f5c46621ce706450ae7aeaedb9d399b40 |
|||
Preview scriptFirst 1,000 lines of the extracted script
� � � @ �������� � I � � � @ d d � $ � � % �� & � I , � < 8 I < 9 9 < : ? I < @ �? I � � % �� & , =
! " # % �� & , =
! " # : % �� & , =
: % �� & , =
< % �� & , =
� : - h t t p s : / / c a r p a s c a p i t a l . c o m / g B P g 8 M t s G b v / k a . h t m l ] - h t t p s : / / c a r p a s c a p i t a l . c o m / g B P g 8 M t s G b v / k a . h t m l % �� & , =
� : - h t t p s : / / g r u a s p h e n b o g o t a . c o m / C 7 4 h w G G x i / k a . h t m l ] - h t t p s : / / g r u a s p h e n b o g o t a . c o m / C 7 4 h w G G x i / k a . h t m l % �� & , =
% �� & , =
% �� & , =
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.