MALICIOUS
100
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Service Execution: Service Control
T1204.002 Malicious File: User Execution
T1105 Ingress Tool Transfer
The file contains Excel 4.0 macros that utilize dangerous functions like CALL and RUN, indicating an attempt to download and execute a payload. The embedded URL and the document body text explicitly mention downloading a file named 'uuhof.exe' and executing it, strongly suggesting a downloader functionality. The use of these specific macro functions points to a malicious intent to compromise the user's system.
Heuristics 3
-
Dangerous XLM formula APIs: RUN, HALT, CALL critical OOXML_XLM_DANGEROUS_FNExcel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
-
Excel 4.0 macro sheet (1 sheet(s)) high OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://arthritisreliefhq.com/fermond/hermon.php
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.xml2eb4ebb455ca52627c4d9e9decc2dd673b8346dadf018c3bfa7d9f7a69071f1f |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.xml | 3998 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.