MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file contains Excel 4.0 macros, specifically an Auto_Open entry, which is a known technique for executing malicious code upon opening the document. Heuristics indicate the use of dangerous formula APIs like RUN, suggesting the macro is designed to download and execute a secondary payload. ClamAV detection further confirms its malicious nature.
Heuristics 4
-
ClamAV: Xls.Dropper.Agent-7995294-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-7995294-0
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 134280 bytes |
SHA-256: c654a0e392d03bdf40ed4181592337e8aa53c3fa7c905cb50632b4a8d7d9044c |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!IA45794 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,EW26,"",5.75000000000000000000 ' Sheet,V46,"",720.25000000000000000000 ' Sheet,CI99,"",-0.13377926421404681689 ' Sheet,FY105,"",-1099.00000000000000000000 ' Sheet,HV143,"",797.25000000000000000000 ' Sheet,HI242,"",1.31578847368421070207 ' Sheet,N259,"",-1.36410156410256422355 ' Sheet,BC283,"",0.13703703703703704053 ' Sheet,FC295,"",11.40000976562500056843 ' Sheet,CC329,"",2.23636363636363633134 ' Sheet,HM339,"",-34.00000000000000000000 ' Sheet,CK378,"",-392.00000000000000000000 ' Sheet,JC394,"",1.68493150684931514149 ' Sheet,CC550,"",0.13622291021671825706 ' Sheet,IN552,"",405.00000000000000000000 ' Sheet,HC560,"",13.00000000000000000000 ' Sheet,E635,"SET.VALUE(GP49042,GET.CELL(38,JJ38306)*-189.00000000000000000000/2)","" ' Sheet,E636,GOTO(H42476),"" ' Sheet,Y647,"",-413.00000000000000000000 ' Sheet,DV706,"",3.05000244140624987566 ' Sheet,BQ723,"",-59.75000000000000000000 ' Sheet,CO729,"",-1.96521739130434780485 ' Sheet,DN757,"",-6.64705882352941213043 ' Sheet,DJ766,"",282.00000000000000000000 ' Sheet,GL769,"SET.VALUE(D42792,90-GET.CELL(8,GP39859)*2)","" ' Sheet,GL770,GOTO(ET64704),"" ' Sheet,BU806,"",1.58064516129032250902 ' Sheet,JA816,"",0.67484662576687115543 ' Sheet,CQ859,"",0.50000000000000000000 ' Sheet,BM915,"",282.00000000000000000000 ' Sheet,IJ932,"",-725.25000000000000000000 ' Sheet,HJ939,"",0.29116945107398567449 ' Sheet,BR952,"",1087.00000000000000000000 ' Sheet,HQ1008,"",-2.25999999999999978684 ' Sheet,GD1018,"",-0.27546296296296296502 ' Sheet,GM1035,"",-2.43010752688172049218 ' Sheet,CE1039,"",12.52747252747252737493 ' Sheet,JC1040,"",-3.09638554216867456503 ' Sheet,DY1070,"",-0.14247311827956990471 ' Sheet,CU1082,"",-352.00000000000000000000 ' Sheet,DQ1144,"",-3.25000000000000000000 ' Sheet,GU1236,"",2.27777777777777767909 ' Sheet,CR1242,"",-12.70588235294117573915 ' Sheet,FS1271,"",-3.52054794520547931214 ' Sheet,IM1301,"",0.69144981412639405782 ' Sheet,HZ1342,"",0.23219814241486066986 ' Sheet,HK1381,"",57.00000000000000000000 ' Sheet,ED1403,"",-1025.00000000000000000000 ' Sheet,BP1411,"",-305.00000000000000000000 ' Sheet,DW1411,"",0.62000030517578119671 ' Sheet,CA1437,"",578.00000000000000000000 ' Sheet,FX1437,"",0.16099071207430340480 ' Sheet,HZ1474,"",0.29523809523809524391 ' Sheet,BG1493,"",-71.00000000000000000000 ' Sheet,DQ1574,"",-2.69369369369369371370 ' Sheet,DH1577,"",-68.00000000000000000000 ' Sheet,DL1657,"",-43.00000000000000000000 ' Sheet,FR1660,"",-0.41150442477876103542 ' Sheet,CH1669,"",-0.33779264214046822445 ' Sheet,CP1775,"",-120.50000000000000000000 ' Sheet,DG1805,"",-757.25000000000000000000 ' Sheet,CA1817,"",291.00000000000000000000 ' Sheet,FZ1820,"",-0.23745819397993311872 ' Sheet,JO1893,"",1029.00000000000000000000 ' Sheet,HE1926,"",0.03947368421052631360 ' Sheet,EQ1971,"",-190.00000000000000000000 ' Sheet,FM1989,"",-382.00000000000000000000 ' Sheet,IR2026,"",50.00000000000000000000 ' Sheet,DA2076,"",-4.06896551724137900408 ' Sheet,EK2081,"SET.VALUE(IT55456,GET.CELL(24,X60039)--142.00000000000000000000)","" ' Sheet,FQ2081,"",102.00000000000000000000 ' Sheet,EK2082,GOTO(HH40620),"" ' Sheet,JI2098,"",-4.03846153846153832490 ' Sheet,GD2179,"",-5.97999900000000028655 ' Sheet,EQ2227,"",-0.29032258064516131002 ' Sheet,GI2296,"",4.39062500000000000000 ' Sheet,JM2314,"",-2.31531531531531520329 ' Sheet,FX2385,"",-0.51769911504424781512 ' Sheet,BO2414,"",-1.90099009900990090216 ' Sheet,CG2518,"",311.00000000000000000000 ' Sheet,EO2559,"",302.00000000000000000000 ' Sheet,IZ2639,"",153.00000000000000000000 ' Sheet,CN2695, ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.