MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1566.002 Spearphishing Attachment
The file is an XLSX document containing VBA macros and an Excel 4.0 macro sheet. The critical heuristic 'OOXML_XLM_MACROSHEET' indicates the presence of Excel 4.0 macros, which are known for their ability to execute arbitrary code. The 'OLE_VBA_CREATEOBJ' heuristic further suggests that the VBA code is designed to interact with the system, likely to download and execute a secondary payload. The presence of these macro types and the associated heuristics strongly indicate a malicious intent, commonly used for initial access or payload delivery.
Heuristics 3
-
Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA project inside OOXML medium OOXML_VBADocument contains vbaProject.bin — VBA macros present
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basb6502c29456e522e6b9d754fbd75bcaf99d8e82258eff05d4cfbabacc5ad882b |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3012 bytes |
vbaProject_00.bine728c8a32ad9bdb871536c85aa2d165e4e1e4ec67c40287fd09178c0781aa101 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 23552 bytes |
xlm_sheet_00.bin8772053a5df4a1ab85b962bda4ca8bf6d73b3208996881026e12983f83068bdc |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.bin | 1737 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.