Malware Insights
The critical heuristic 'OLE_VBA_ACTIVEX_XLM_STAGER' indicates that an ActiveX event triggers the execution of a decoded Excel 4.0 macro. The VBA script 'macros.bas' contains a subroutine 'stampas' that iterates through constants in the active sheet, decodes them, and executes them using 'ExecuteExcel4Macro'. This mechanism is commonly used to download and execute further stages of malware. The document body consists of seemingly random alphanumeric strings and numbers, which likely serve as obfuscated data for the macro. No specific IOCs like URLs or hashes were directly extracted from the script, hence the family is unknown.
Heuristics 2
-
VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGERVBA code attached to an auto-firing ActiveX/UserForm control event (e.g. _Layout/_Change/_Painted) decodes a string with Replace/Split/Join/StrReverse/Chr and passes the recovered formula text to ExecuteExcel4Macro. This bridges VBA event activation into XLM formula execution to call Win32 APIs / drop payloads while evading AutoOpen and Shell keyword detection — a high-confidence macro stager, not a specific Office parser CVE.
-
VBA project inside OOXML medium OOXML_VBADocument contains vbaProject.bin — VBA macros present
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basc9f5f2abb1ec83a7b2fd2fa0daa5b1544a35d2d1e2154dc63914a62a7b09ea3c |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1077 bytes |
vbaProject_00.bin3bf76bc3469e268cc801827cda32578d7fd26dbc699bc815fe0e063634977ace |
vba-project | OOXML VBA project: xl/vbaProject.bin | 10752 bytes |
emf_00.emf76f287b1e3251b7e0e5ba27bfb05b35831150cc665de00f9fd2d807e2d2a028d |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 1976 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.