MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The file is an Excel workbook containing obfuscated Excel 4.0 macros. Critical heuristics indicate the presence of an Auto_Open execution chain, suggesting the macros are designed to run automatically upon opening the document. The specific obfuscation techniques used in the XLM macros prevent a more detailed analysis of the payload, but the intent is to execute arbitrary code.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
Obfuscated XLM Auto_Open execution chain critical OLE_XLM_OBFUSCATED_AUTOEXEC_CHAINExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and an obfuscated formula execution chain. The macro builds strings through FORMULA(CHAR(...)), primes state with SET.VALUE / GET.CELL / GOTO, and transfers control through RUN(). This is a high-confidence XLM malware pattern.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 125141 bytes |
SHA-256: f4c44016c5574d7ef179e3ca6a37cf94191371215354b41dd620da4038f5b21a |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!IA14527 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,JD32,"",-321.00000000000000000000 ' Sheet,HJ50,"",6.76470588235294112422 ' Sheet,CC78,"",0.13502935420743639172 ' Sheet,T120,"",-0.34317343173431735792 ' Sheet,HA129,"",-5.33333333333333303727 ' Sheet,GK135,"",234.00000000000000000000 ' Sheet,BE142,"",-4.95698924731182799519 ' Sheet,BJ167,"",-470.00000000000000000000 ' Sheet,DS167,"",0.41044776119402986980 ' Sheet,BX229,"",362.00000000000000000000 ' Sheet,DF298,"",16.60000000000000142109 ' Sheet,HB316,"",-109.00000000000000000000 ' Sheet,BR355,"",206.00000000000000000000 ' Sheet,JC414,"",-406.00000000000000000000 ' Sheet,HO473,"",-382.00000000000000000000 ' Sheet,FU515,"",-454.00000000000000000000 ' Sheet,H522,"",6.08974358974358942476 ' Sheet,BG643,"",-2491.00000000000000000000 ' Sheet,L704,"",-9.69999999999999928946 ' Sheet,BE745,"",-11.60000000000000142109 ' Sheet,DY772,"",-3.08181818181818201197 ' Sheet,GV870,"",-252.00000000000000000000 ' Sheet,JT873,"",577.00000000000000000000 ' Sheet,HJ877,"",3.79120879120879106239 ' Sheet,IK884,"",127.80007812499999886313 ' Sheet,DN940,"",6.63636363636363668661 ' Sheet,CJ954,"",0.10043668122270742182 ' Sheet,GP974,"",-5.54098260655737728797 ' Sheet,DQ1049,"",-0.24728850325379608810 ' Sheet,E1078,"",64.50000000000000000000 ' Sheet,CA1090,"",166.00000000000000000000 ' Sheet,J1098,"",292.00000000000000000000 ' Sheet,JA1124,"",1.12012987012987008661 ' Sheet,GY1137,"",0.19420289855072464524 ' Sheet,JI1172,"",-495.00000000000000000000 ' Sheet,HL1190,"",-631.00000000000000000000 ' Sheet,FR1222,"",-342.00000000000000000000 ' Sheet,W1261,"",-1.12612612612612617013 ' Sheet,GC1314,"",-370.00000000000000000000 ' Sheet,IM1329,"",1.25000000000000000000 ' Sheet,EN1338,"",618.00000000000000000000 ' Sheet,FK1564,"",-228.00000000000000000000 ' Sheet,EG1574,"",266.00000000000000000000 ' Sheet,DN1582,"",-4.04477611940298498183 ' Sheet,IJ1601,"",-403.00000000000000000000 ' Sheet,JD1690,"",-2491.00000000000000000000 ' Sheet,BB1697,"",-388.00000000000000000000 ' Sheet,GT1725,"",-10.10000488281250063949 ' Sheet,CY1729,"",-2.37719298245614041321 ' Sheet,EZ1739,"",-297.00000000000000000000 ' Sheet,JH1789,"",-23.00000000000000000000 ' Sheet,ET1794,"",-0.80869565217391303769 ' Sheet,HC1810,"",405.00000000000000000000 ' Sheet,CB1819,"",-0.42435424354243544975 ' Sheet,V1837,"",-315.00000000000000000000 ' Sheet,JD1846,"",125.80007812499999886313 ' Sheet,FE1940,"",4.86666666666666625218 ' Sheet,EM1960,"",-0.02268976897689769026 ' Sheet,IT1965,"",-0.13313609467455622681 ' Sheet,CG1978,"",0.15068493150684930670 ' Sheet,JA2021,"",-373.00000000000000000000 ' Sheet,FV2023,"",8.69620253164556977765 ' Sheet,IM2038,"",-0.04166666666666666435 ' Sheet,BP2059,"",-371.00000000000000000000 ' Sheet,B2230,"",-12.40000976562500056843 ' Sheet,F2293,"",-55.09090909090909349288 ' Sheet,ER2302,"",-599.00000000000000000000 ' Sheet,IZ2311,"",0.06986899563318776929 ' Sheet,S2373,"",7.40579710144927538806 ' Sheet,DS2433,"",26.00000000000000000000 ' Sheet,JH2509,"",0.06653620352250488867 ' Sheet,CC2520,"",0.07827788649706457491 ' Sheet,Q2550,"SET.VALUE(CU52378,GET.CELL(50,FD14200)+-10.00000000000000000000-2)","" ' Sheet,Q2551,RUN(FJ25215),"" ' Sheet,IE2589,"",349.00000000000000000000 ' Sheet,D2751,GOTO(FL42819),"" ' Sheet,DN2777,"",364.00000000000000000000 ' Sheet,GV2795,"",-356.00000000000000000000 ' Sheet,DL2835,"",-0.18292682926829267887 ' Sheet,HL2837,"",-0.02062706270627062688 ' Sheet,BZ2856,"",388.00000000000000000000 ' Sheet,C2918,"",-6.54545454545454585826 ' Sheet,IC2972,"",-0.38400000000000000799 ' Sheet,J ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.