MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The critical heuristic 'OLE_VBA_ACTIVEX_XLM_CELL_STAGER' indicates that the VBA code within the document is designed to execute Excel 4.0 macro formulas. The VBA script 'sbjk' iterates through constants in the used range, concatenates specific characters, and then uses 'ExecuteExcel4Macro' to run decoded formulas. This mechanism is commonly used to download and execute further malicious content. No specific IOCs were extracted, and the family is unknown due to the generic nature of the obfuscation.
Heuristics 2
-
VBA ActiveX event runs worksheet-decoded XLM formulas critical OLE_VBA_ACTIVEX_XLM_CELL_STAGERVBA code attached to an ActiveX/UserForm event reconstructs formula text from worksheet constants using Split/Replace/Mid or character shifting, then executes it through ExecuteExcel4Macro or Run. This is a high-confidence malware stager that hides XLM formula execution in sheet cells; it is not a document-parser CVE.
-
VBA project inside OOXML medium OOXML_VBADocument contains vbaProject.bin — VBA macros present
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basb04961a05ea4f10a5e69c42a567fdfaa29363ec6dedce4d85b473095ba26f417 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1141 bytes |
vbaProject_00.bind0c80d154439bd128bce8d27e755ae8c7c53c6947328e71598b4aa4e56df63a0 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 16384 bytes |
emf_00.emf76f287b1e3251b7e0e5ba27bfb05b35831150cc665de00f9fd2d807e2d2a028d |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 1976 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.