MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic for Applications
T1059.001 PowerShell
T1204.002 Malicious File
The critical heuristic 'OLE_VBA_ACTIVEX_XLM_STAGER' indicates that VBA code is used to launch decoded Excel 4.0 macros via ExecuteExcel4Macro. The VBA script contains functions for string manipulation and obfuscation, and the 'crlf' subroutine appears to be responsible for deobfuscating and executing the Excel 4.0 macros. The 'logo' subroutine directly calls ExecuteExcel4Macro, suggesting it's used for payload execution. The document body contains a large amount of seemingly random text, which might be part of an obfuscation or anti-analysis technique.
Heuristics 2
-
VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGERVBA code attached to an auto-firing ActiveX/UserForm control event (e.g. _Layout/_Change/_Painted) decodes a string with Replace/Split/Join/StrReverse/Chr and passes the recovered formula text to ExecuteExcel4Macro. This bridges VBA event activation into XLM formula execution to call Win32 APIs / drop payloads while evading AutoOpen and Shell keyword detection — a high-confidence macro stager, not a specific Office parser CVE.
-
VBA project inside OOXML medium OOXML_VBADocument contains vbaProject.bin — VBA macros present
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas399190e1c3bd6544b405e0e990d47c66567fc202081910f76f15155f24fd53f0 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1610 bytes |
vbaProject_00.bin0d097958a7182be01de8cdc8889f53b046c3599aeb4c439329c9555ce8bc7a99 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 17920 bytes |
emf_00.emf76f287b1e3251b7e0e5ba27bfb05b35831150cc665de00f9fd2d807e2d2a028d |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 1976 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.